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Abstract 


We  give  a  detailed,  informal  proof  of  the  Church-Rosser  property  for  the  untyped  A-calculus  and 
show  its  representation  in  LF.  The  proof  is  due  to  Tait  and  Martin-L6f  and  is  based  on  the 
notion  of  parallel  reduction.  The  representation  employs  higher-order  abstract  syntax  and  the 
judgments-a5- types  principle  and  takes  advantage  of  term  reconstruction  as  it  is  provided  in  the 
Elf  implementation  of  LF.  Proofs  of  meta-theorems  are  represented  as  higher-level  judgments  which 
relate  sequences  of  reductions  and  conversions. 
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1  Introduction 

The  logical  framework  LF  [HHP]  has  been  designed  as  a  formal  meta-language  for  the  representation 
of  deductive  systems.  It  is  based  on  a  predicative  type  theory  with  dependent  types  in  which 
judgments  are  represented  as  types  and  deductions  are  represented  as  objects.  In  this  report  we 
explore  the  use  of  this  framework  for  the  formalization  of  the  theory  of  the  untyped  A-calculus. 
More  specifically,  we  will  develop  a  proof  and  representation  of  the  Church-Rosser  theorem  under 
/3-reduction.  This  report  will  focus  on  techniques  of  representation — details  of  the  LF  type  theory 
and  its  implementation  in  Elf  can  be  obtained  from  [HHP,  Pfe91b].  Elf  is  a  logic  programming 
language  based  on  the  LF  type  theory,  although  in  this  report  we  deemphasize  the  operational 
aspects  of  Elf.  All  the  Elf  code  in  this  report  has  been  type-checked  and  e.xecuted  in  the  current 
implementation  [Pfe91a].*  If  the  Elf  implementation  of  the  proof  is  ignored,  this  report  can  also 
be  read  as  a  detailed,  informal  proof  of  the  Church-Rosser  theorem  using  the  method  of  parallel 
reductions  due  to  Tait  and  Martin- Lof. 

The  methodology  for  the  representation  of  meta-theorems  (such  as  the  Church-Rosser  theorem) 
can  be  seen  as  consisting  of  three  stages.  The  first  stage  is  the  formalization  of  the  abstract  syntax 
of  the  language  under  considerat'on.  Here  we  use  the  idea  of  higher-order  abstract  syntax  which 
requires  that  variables  of  the  object  language  are  represented  by  variables  of  the  meta-language. 

'The  code  in  this  report  and  the  implementation  are  available  via  anonymous  ftp.  Please  send  electronic  mail  to 
the  author  at  fp4c8.CBU.edu for  further  information. 
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This  allows  common  conventions  in  the  proofs  of  meta-theorems  which  concern  bound  variables  to 
be  supported  directly  in  the  meta-language.  In  particular,  we  can  avoid  explicit  renaming  of  bound 
variables  (which  is  modeled  by  a-conversion  in  the  framework)  and  have  a  notation  for  capture¬ 
avoiding  substitution  (which  is  modeled  by  /3-reduction).  It  may  appear  that  the  framework  is 
specifically  designed  just  for  the  implementation  of  the  A-calculus,  but  in  fact  bound  variables 
occur  in  most  programming  languages  and  the  technique  of  higher-order  abstract  syntax  has  wide 
applicability  in  theorem  proving  and  logic  programming  [Fel89,  NM88,  Pau86],  and  the  theory  of 
programming  languages  [Han91,  HP92,  MP91]. 

The  second  stage  is  the  formalization  of  the  semantics  of  the  language  which  is  given  via 
judgments  defined  by  inference  rules.  The  judgments  are  implemented  as  types  and  deductions  as 
objects.  Thus  the  relationship  between  a  deduction  and  the  judgment  it  establishes  is  represented 
as  the  relationship  between  an  object  and  its  type.  In  our  example,  we  will  represent  various 
reduction  and  conversion  relations  in  this  style.  Similar  techniques  have  been  used  to  specify  type 
systems,  operational  semantics,  compilation  and  other  aspects  of  the  semantics  of  programming 
languages  (see,  for  example,  [Han91,  HP92,  Har90,  MP91]). 

The  third  stage  is  the  formalization  of  the  proofs  of  meta-theorems  in  the  framework.  The 
construction  which  is  implicit  in  the  proof  is  represented  as  a  judgment  which  relates  deductions. 
For  example,  in  the  proof  of  the  Church-Rosser  theorem  we  have  to  show  the  e.xistence  of  certain 
reduction  sequences,  given  other  reduction  sequences.  This  is  done  via  an  explicit  construction 
which  can  be  represented  as  a  judgment.  Verifying  that  this  higher-level  judgment  indeed  represents 
a  proof  is  left  to  a  process  called  schema-checking  (see  [PR92,  HP92])  which  is  currently  mostly 
done  by  hand,  since  the  implementation  is  still  incomplete.  This  means  that  there  is  stiU  the 
possibility  of  error  in  the  implementation  of  the  proof. 

Thus  all  three  stages,  representation  of  abstract  syntax,  semantics,  and  meta-theory,  are  carried 
out  within  the  same  logical  framework.  The  concrete  implementation  of  framework  within  the  Elf 
programming  language  has  other  features  which  we  will  mostly  ignore  for  the  purposes  of  this 
discussion,  but  we  briefly  review  Elf  here.  Its  concrete  syntax  is  very  simple,  since  we  only  have  to 
model  the  relatively  few  constructs  of  LF.  While  LF  is  stratified  into  the  levels  of  kinds,  families, 
and  objects,  the  syntax  is  overloaded  in  that,  for  example,  the  symbol  11  constructs  dependent 
function  types  and  dependent  kinds.  Similarly,  juxtaposition  is  concrete  syntax  for  instantiation  of 
a  type  family  and  application  of  objects.  We  maintain  this  overloading  in  the  concrete  syntax  for 
Elf  and  refer  to  expressions  from  any  of  the  three  levels  collectively  as  terms.  A  signature  is  given 
as  a  sequence  of  declarations. 


Terms  term  ::= 

1 

o  or  c  or  I 

1  {.id:term\yterm2 

A2  or  ni:.4.  A' 

j  \.id\term\'\term2 

AX-..4.  a; 

1  term\  term2 

A  M  or  Ml  M2 

1  type 

Type 

1  termi  ->  term2 

A\  -*  ^2 

1  term\  <-  term2 

A2  A\ 

1  {id} term  \  [id]  term 

1  _  omitted  terms 

1  termi :  term2 

cast 

1  {term') 

grouping 

Declarations  decl  ::= 

id  :  term . 

a:K  or  c:A 

The  terminal  id  stands  either 

for  a  bound  variable,  a 

free  variable,  or  a  constant  at  the  level 

of  families  or  objects.  Bound  variables  and  constants  in  Elf  can  be  arbitrary  identifiers,  but  free 
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variables  in  a  declaration  or  query  must  begin  with  an  uppercase  letter  (an  undeclared,  unbound 
lowercase  identifier  is  flagged  as  an  undeclared  constant).  An  uppercase  identifier  is  one  which 
begins  with  an  underscore  _  or  a  letter  in  the  range  A  through  Z;  aU  others  are  considered  lowercase, 
including  numerals.  Identifiers  may  contain  all  characters  except  (){}[]  :  .*/.  and  whitespace.  In 
particular,  A->B  would  be  a  single  identifier,  while  A  ->  B  denotes  a  function  type.  The  left-pointing 
arrow  as  in  B  <-  A  is  a  syntactic  variant  and  parsed  into  the  same  representation  as  A  ->  B.  It 
improves  the  readability  of  some  Elf  programs.  The  simple  function  type  A  ->  B  is  treated  as  an 
abbreviation  for  {x :  A}  B  where  x  does  not  occur  in  B. 

The  right-pointing  arrow  ->  is  right  associative,  while  the  left-pointing  arrow  <-  is  left  associa¬ 
tive.  Juxtaposition  binds  tighter  than  the  arrows  and  is  left  associative.  The  scope  of  quantifications 
{x  :  A}  and  abstractions  [i  :  A]  extends  to  the  next  closing  parenthesis,  bracket,  brace  or  to 
the  end  of  the  term.  Term  reconstruction  fills  in  the  omitted  types  in  quantifications  {x}  and 
abstractions  [z]  and  omitted  types  or  objects  indicated  by  an  underscore  _.  In  case  of  essential 
ambiguity  a  warning  or  error  message  results.  Declarations  may  contain  free  variables  which  can 
be  interpreted  schematically,  just  as  typical  inference  rules  are  schematic.  This  means  that  a  dec¬ 
laration  with  free  variables  can  intuitively  be  thought  of  as  representing  all  its  instances.  Such 
declarations  are  translated  into  LF  by  adding  (implicit)  Il-quantifiers  for  all  free  variables.  The 
corresponding  (implicit)  arguments  are  reconstructed  by  the  Elf  front  end  employing  a  variant  of 
higher-order  unification.  This  and  other  aspects  of  Elf  are  explained  in  more  detail  in  [Pfe91b].  but 
we  hope  that  the  material  in  the  remainder  of  this  report  can  be  understood  at  a  pragmatic  level 
without  detailed  knowledge  about  the  term  reconstruction  algorithm. 

Single-line  comments  begin  with  t  and  extend  through  the  end  of  the  line.  A  delimited  comment 
begins  with  and  ends  with  the  matching  that  is,  delimited  comments  may  be  properly  nested. 
The  parser  for  Elf  also  supports  infix,  prefix,  and  postfix  declarations  similar  to  the  ones  available 
in  Prolog,  and  we  will  see  some  examples  of  infix  declarations  later. 

2  The  Untyped  A- Calculus 

We  consider  the  pure  untyped  A-calculus  whose  syntax  is  given  by 

Terms  M  ::=  z  |  Mi  M2  |  Az.  M. 

Here  z  stands  for  variables.  We  will  use  M  and  N  as  meta-variables  ranging  over  terms.  .\  term 
of  the  form  Az.  M  binds  the  variable  z  and  the  rule  of  a-conversion  allows  the  explicit  renaming 
of  bound  variables.  We  use  the  convention  that  o-conversions  can  be  performed  implicitly,  or.  a.s 
Barendregt  [BarSO]  puts  it:  “Terms  that  are  a-congruent  are  identified."  Conventions  of  this  kind 
are  common  right  from  the  beginning  of  the  study  of  the  A-calculus  (see,  for  example,  the  original 
paper  with  a  proof  of  the  Church-Rosser  theorem  [CR36]).  In  order  to  avoid  any  possible  problems 
which  arise  from  this  convention,  a  common  route  is  to  go  to  combinatory  calculi  [CF.58]  or  to 
use  de  Bruijn  indices  [dB72].  It  is  interesting  to  note  that  de  Bruijn’s  motivation  for  his  notation 
for  A-terms  came  from  a  proof  of  the  Church-Rosser  theorem,  and  Shankar’s  mechanization  of  the 
Church-Rosser  theorem  in  the  Boyer-Moore  theorem  prover  [Sha88,  BM79]  uses  de  Bruijn  indices. 
In  LF,  the  detour  via  de  Bruijn  indices  is  not  necessary,  since  variable  naming  conventions  can  be 
supported  directly  in  the  framework. 

We  use  parentheses  to  disambiguate  the  concrete  syntax  of  terms.  In  our  presentation,  applica¬ 
tion  associates  to  the  left,  and  the  scope  of  A-abstraction  extends  to  the  next  closing  parenthesis  or 
the  end  of  the  expression.  For  example  (Az.  Ay.  x  y  y)  z  would  be  (Az.  (Ay.  ((z  y)  y)))  c  with  all 
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explicit  parentheses.  For  further  background  material  on  the  untyped  A-calculus,  the  reader  may 
consult  Barendregt’s  comprehensive  book  [BarSO]. 

The  representation  of  the  syntax  of  the  untyped  A-calculus  is  an  archetypical  use  of  higher-order 
abstract  syntax.  Variables  of  the  object  language  (the  A-calculus,  in  this  example)  are  represented 
by  variables  in  the  meta-language.  For  such  a  representation  to  be  correct,  variables  bound  in  the 
object  language  must  also  be  bound  in  the  meta-language.  We  define  '"M"',  the  representation  of 
the  term  M  in  Elf,  inductively  on  the  structure  of  M.  Recall  that  [x:A]  P  is  Elf’s  concrete  syntax 
for  abstraction  in  the  framework  and  binds  a  variable  x  of  type  A  in  the  object  P. 

r  T 

I  =  X 

''M  N’'  =  app  ''Af''  '"IV'’ 

'"Xx.  M~'  =  lam  ([x:tarm]  ’’M"') 


For  example, 

""Ai.  Ay.  i"*  =  lam  [xrterm]  lam  [y;term]  x. 

As  far  as  we  know,  this  representation  is  due  to  Wadsworth  [Wad76]  and  used  by  Meyer  [Mey82]  in 
the  construction  of  an  environment  model  of  the  untyped  A-calculus.  The  notation  used  there  is 
for  lam  and  $  for  app.  From  the  representation  above  we  can  read  off  the  type  of  the  constructors, 
leading  to  the  following  signature  T. 


term  :  t3rpe.  ‘Anarne  term  N 


lam  :  (term  ->  term)  ->  term, 
app  :  term  ->  term  ->  term. 

The  annotation  %name  term  M  instructs  Elf  to  use  M,  Ml,  etc.  as  names  for  new  variables  of  type 
term  which  may  be  introduced  during  search  or  term  reconstruction. 

Our  notation  for  the  result  of  substituting  N  for  x  in  Af  is  [iV/x]Af.  We  require  that  no  free 
variable  in  N  is  bound  in  M  in  order  to  avoid  variable  capture.  This  means  that  M  may  have  to 
be  renamed  into  an  equivalent  form  before  substitution  can  be  carried  out. 

The  representation  function  is  a  bijection  between  terms  in  the  untyped  A-calculus  and 
canonical  objects  in  the  LF  type  theory  of  type  term.  Furthermore,  the  function  is  compositional. 
that  is,  substitution  commutes  with  representation.  Formally, 

''[N/x]M^=  fiV/ifA/''. 

Note  that  substitution  on  the  right-hand  side  is  substitution  within  the  LF  type  theory.  We  further 
observe  that 

fN''/x]’'M^=  ([xrterm]  '"Af'')  ''N^ 

which  can  be  paraphrased  by  saying  that  substitution  at  the  object-level  (the  untyped  A-calculus)  is 
implemented  by  /3-reduction  at  the  meta-level  (the  LF  type  theory).  Here,  =  stands  for  definitional 
equality  in  the  framework  which  includes  ^-conversion. 


3  Reduction  and  Conversion 

The  operational  semantics  of  the  untyped  A-calculus  is  usually  given  via  a  reduction  relation,  where 
the  meaning  of  a  term  is  its  normal  form,  that  is,  a  term  which  cannot  be  reduced  further.  But  is 
this  legitimate?  Unless  we  can  show  that  such  a  normal  form  is  essentially  unique,  the  semantics 
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woiild  be  ambiguous.  In  this  section  we  will  formulate  some  reduction  relations  for  the  untyped 
A-calculus  and  then  investigate  their  properties  in  Section  5. 

At  the  heart  of  the  reduction  relation  lies  the  rule  of  0-reduction,  whereby  a  term  (Az.  M)  N  is 
reduced  to  [N/x]M.  Recall  that  substitution  may  require  renaming  of  bound  variables  in  M  in  order 
to  avoid  variable  capture.  This  reduction  may  be  applied  anywhere  inside  a  term — something  which 
is  not  true,  for  example,  for  evaluation  relations  for  programming  languages  (both  in  caU-by-name 
and  call-by-value  semantics,  see  [Plo75]).  One  may  consider  this  as  a  distinguishing  characteristic 
of  general  reduction  compared  to  evaluation. 

Thus  the  first  judgment  we  would  like  to  define  is  M  — ►  M'  (read:  M  reduces  to  M').  This 
judgment  is  defined  by  a  set  of  inference  rules.  These  rules  are  subscripted  by  “1”  in  order  to 
indicate  that  this  is  the  first  formulation  we  are  considering.  In  the  course  of  the  proof  of  the 
Church- Rosser  theorem  we  will  need  to  consider  other  reduction  relations. 


- betai 

(Ax.  Ml)  M2 [M2/x]Mi 


M  M' 

Ax.  M  — ^  Ax.  M' 


Imi 


Ml  —  Mi 

- - apli 

Ml  Mi  Mi  Mi 


Mi  — »  Mi 
Ml  Mi  Ml  Mi 


aprj 


The  first  rule  betai  is  the  /3-reduction  rule  proper.  The  other  three  allow  us  to  perform  the 
/3-reduction  anywhere  inside  a  term.  These  rules  are  frequently  refered  to  as  congruence  rules.  Note 
that  the  rule  Imi  is  somewhat  peculiar,  since  we  require  that  the  bound  variable  on  both  sides  be 
named  i,  even  though  we  made  the  general  assumption  that  the  names  of  bound  variables  should 
be  irrelevant.  Here  is  a  simple  example  of  a  deduction. 

- betai 

(Ax.  Ay.  x)  z  — ►  Ay.  z 

- apl, 

(Ax.  Ay.  x)  z  z  — ►  (Ay.  z)  z 

Using  the  judgments-as-types  principle,  a  deduction  is  now  represented  as  an  object  whose 
type  describes  the  judgment.  Thus  a  type  of  the  form  red  ’^M~'  M'~'  represents  the  type  of  all 
deductions  of  the  judgment  M  — ►  M'.  Since  '"m"'  and  ’’M'"'  are  of  type  term,  the  so-called  type 
family  red  has  kind  term  ->  term  ->  type.  Actually,  instead  of  using  red  in  prefix  notation,  we 
use  -->  in  infix  notation.  The  Xinf  ix  annotation  below  has  this  effect.^  The  ‘/.name  annotation 
indicates  that  Elf  should  use  R,  Rl,  etc.  as  meta-variables  ranging  over  deductions. 

— >  :  term  ->  term  ->  type.  Xinfix  none  10  — > 

Xname  — >  R 

In  the  first  approximation,  the  representation  of  an  inference  rule  is  a  function  from  deductions 
of  its  premisses  to  a  deduction  of  its  conclusion.  For  example,  betai,  which  has  no  premisses,  is 
represented  as  a  constant  betai. 

^The  keyword  none  declares  that  the  operator  -->  is  not  associative  and  10  is  its  precedence,  with  higher  precedence 
binding  tighter.  Keywords  left  and  right  instead  of  none  declare  left  and  right  associative  operators,  respectively. 
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betal  :  (app  (lam  Ml)  M2)  -->  Ml  M2. 

Here,  Ml  has  type  term  ->  term  and  represents  the  scope  of  a  A-abstraction.  Applying  this  function 
to  M2,  the  representation  of  the  argument,  is  definitionally  equal  to  the  representation  of  [M2/a:]A/i. 
where  x  is  the  variable  bound  by  A.  We  are  thus  taking  advantage  of  the  compositionality  of  the 
representation  as  expressed  by 

'■[M2/i]Mi'’=  (Cx:term]  '’A/i'’)  ''M2''. 

The  declaration  above  can  be  understood  schematically,  just  as  the  inference  rule  itst.  any  valid 
instance  of  betal  is  a  valid  object  of  the  appropriate  type.  In  a  more  explicit  version.  Ml  and  M2 
could  be  made  explicit  arguments  to  betal,  as  in  the  declaration  betal’  below. 

betal’  :  {Ml: term  ->  term}  {M2: term} 

(app  (lam  Ml)  M2)  — >  Ml  M2. 

To  continue  in  the  representation,  the  rule  Imi  introduces  an  additional  complication:  the 
explicit  mention  of  the  bound  variable  x.  The  solution  is  to  introduce  a  new  parameter  x  and 
substitute  it  on  both  sides.  A  formulation  along  these  lines  as  an  inference  rule  might  be 

[x/yJM  — ►  [x/y'jM' 

- Imi 

Aj/.  M  — ^  Ay'.  M' 

with  the  proviso  that  the  parameter  x  does  not  already  occur  in  M  or  M'.  This  can  now  readily  be 
implemented  in  Elf,  using  the  same  idea  as  above  to  represent  substitution.  This  stiU  leaves  us  to 
deal  with  the  proviso,  which  is  common  in  deductive  systems.  We  consider  the  premiss  a  judgment 
parametric  in  i,  that  is,  we  should  be  able  to  substitute  any  term  N  for  i  in  the  deduction  of  the 
premiss  to  obtain  a  deduction  of '"[A/i]A/^  — »  '"[iV/xjM'T  Recall  that  {x:A}  B  (usually  written 
in  ]lx:A.  B)  is  the  Elf  notation  for  the  type  of  an  LF  function  which  accepts  an  object  P  of  type 
.4  and  returns  an  object  of  type  [Plx]B. 

1ml  :  ({x:term}  M  x  — >  M’  x) 

->  (lam  M)  -->  (lam  M’). 

The  remaing  two  rules  are  simpler  since  they  do  not  involve  variable  binding. 

apll  Ml  — >  Ml’ 

->  (app  Ml  M2)  — >  (app  Ml’  M2). 

aprl  M2  — >  M2’ 

->  (app  Ml  M2)  — >  (app  Ml  M2’). 

The  example  deduction  above  is  represented  by 

apll  betal  :  app  (lam  [x]  lam  [y]  x)  z  -->  lam  [y]  z. 

where  z  :  term.  A  slightly  more  complicated  example: 

1ml  Cx:term]  betal  :  (lam  [x]  (app  (lam  [y]  y)  x))  — >  lam  [x]  x. 
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This  list  of  declarations  can  also  be  used  as  a  logic  program  to  reduce  a  given  term.  A  goal. 
usually  an  atomic  formula  in  Prolog,  is  given  by  a  type  in  Elf.  Instead  of  attempting  to  find  a 
proof  of  a  formula  as  in  Prolog,  Elf  searches  for  a  closed  object  of  the  given  type.  This  search 
proceeds  in  a  depth-first  fashion  as  in  Prolog,  considering  each  inference  rule  in  turn  and  con¬ 
structing  an  appropriate  object  incrementally.  When  the  signature  above  is  used  as  a  program 
it  will  find  the  leftmost-outermost  redex  first  and  reduce  it.  Upon  backtracking,  other  possible 
reductions  will  be  enumerated.  For  example,  consider  enumerating  the  (single-step)  reductions  of 
(Ax.  X  x)  ((Ay.  y)  (Ax.  z)). 

?-  R  :  (app  (lam  [x]  (app  x  x))  (app  (lam  [y]  y)  (lam  [z]  z)))  — >  M’ . 

Solving. . . 

H’  * 

app  (app  (lam  (Cy:term]  y))  (lam  ([zrterm]  z))) 

(app  (lam  ([yrterm]  y))  (lam  (Cz:term]  z))). 

R  =  betal. 

t 


M’  =  app  (lam  (Cx:tarm]  app  x  x))  (lam  ([z:term]  z)). 
R  =  aprl  betal. 


no  more  solutions 

Here,  M’  is  a  free  variable  (a  logic  variable  in  the  Prolog  terminology)  which  is  instantiated  by 
unification  during  search.  The  variable  R  will  be  bound  to  the  resulting  deduction.  In  this  example 
there  are  two  possible  single-step  reductions,  one  which  reduces  the  top-level  redex,  another  which 
reduces  the  redex  in  the  right-hand  side.  The  corresponding  deductions  consist  of  only  one  or  two 
inferences.  The  semi-colon  in  the  transcript  indicates  that  the  user  asked  for  further  solutions. 

The  next  task  is  to  encode  multi-step  reductions.  One  usually  defines  M  - *  M'  iff  there 

e.xists  a  sequence  of  reductions 

M  =  Mo  — >  Ml  — - - ►  M„  =  M' 


for  some  n  >  0.  While  the  logical  framework  does  not  have  an  immediate  notation  for  this  sort  of 
definition,  we  can  also  define  it  via  a  very  simple  deductive  system. 


- idi 

M  M 


M  ^  M'  M'  — M” 
M  — M" 


stepi 


Reconsider  the  example  above. 


y)  2)  — '  2 

(Ax.  X  x)  ((Ay.  y)  (Ax.  x))  — ►  (Ax.  x  x)  (Ax.  x) 


(Ax.  X  x)  (Ax.  x)  — (Ax.  x)  (Ax.  x) 


(Ax.  X  x)  ((Ay.  y)  (Ax.  x))  — ►*  (Ax.  x)  (Ax.  x) 

w  here 

- betai  - id] 

(Ax.  X  x)  (Ax.  x)  — ►  (Ax.  x)  (Ax.  x)  (Ax.  x)  (Ax.  x)  — (Ax.  x)  (Ax.  x) 

K  —  - ste| 

(Ax.  X  x)  (Ax.  x)  — >•*  (Ax.  x)  (Ax.  x) 
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The  implementation  of  the  inference  rules  in  Elf  is  simple,  since  it  does  not  involve  any  side- 
conditions  or  bound  variables. 

— >*  :  term  ->  term  ->  type.  Xinfix  none  10  — >* 

Xname  — >*  R* 


idl  M  — >*  M. 

stepl  :  M  — >  M’ 

->  M’  — >*  M" 

->  M  — >♦  M* • . 

The  interpretation  of  this  declaration  as  a  program  is  now  much  less  useful,  since  execution  can 
easily  lead  to  infinite  regression  even  though  solutions  may  exist.  This  is  because  the  operational 
semantics  of  Elf  will  solve  the  subgoals  which  arise  after  an  application  of  the  stepl  rule  in  an 
order  which  is  inconvenient  in  this  example.  This  illustrates  a  general  phenomenon:  in  many  cases, 
a  straightforward  specification  of  an  inference  system  will  not  be  useful  as  a  program.  In  order 
to  obtain  a  program  we  have  to  design  an  algorithm  and  then  implement  it  separately  from  the 
specification.  A  complete  strategy  for  multi-step  reduction  is  a  left-most  outermost  strategy.  This 
reduction  strategy  can  also  be  implemented  and  its  completeness  can  be  proved  in  Elf,  but  we 
leave  this  to  a  future  report.  Briefly,  Elf  searches  through  a  signature  in  a  depth-first  fashion, 
trying  inference  rules  from  the  top  to  the  bottom,  solving  the  innermost  subgoal  first.  For  more 
information  on  the  operational  semantics  of  Elf  the  reader  is  referred  to  [Pfe91b]  or  [MP91]  for 
a  more  tutorial  presentation.  Through  sheer  luck,  however,  we  can  generate  the  deduction  above 
even  with  this  operationally  inadequate  signature.  It  is  given  as  the  third  and  final  answer  before 
the  program  diverges. 

?-  R*  :  (app  (lam  [x]  (app  x  x))  (app  (lam  [y]  y)  (lam  [z]  z)))  -->*  M’ . 

Solving . . . 

M’  >  app  (lam  ([x:term]  app  x  x}} 

(app  (lam  ([yrterm]  y))  (lam  ([z;term]  z))). 


R*  »  idl. 


M’  » 

app  (app  (lam  (Cy:t0rm]  y))  (lam  (Cz:term3  z))) 
(app  (lam  ([y:tenn]  y))  (lam  ([z:term3  z))). 

R*  a  stepl  betal  idl. 


M’  *  app  (lam  ([xrterm]  app  x  x))  (lam  ([z;t0rm]  z)). 
R*  ■  stepl  (aprl  betal)  idl. 


M'  ■  app  (lam  (Cz:term]  z))  (lam  (Cz:term3  z)). 


Reduction  and  Conversion 
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R*  «  stapl  (aprl  betal)  (stapl  batal  idl) . 


interrupt 

Finally  we  come  to  conversion,  a  notion  of  equality  generated  from  (multi-step)  reduction.  It 
is  the  smallest  equivalence  relation  on  terms  which  contains  the  reduction  relation.  This  can  be 
expressed  as  an  inference  system  with  four  rules;  the  first  three  for  reflexivity,  symmetry,  and 
transitivity  express  that  conversion,  written  as  < — ►,  is  an  equivalence  relation.  The  fourth  rule 
expresses  that  if  one  term  can  be  reduced  to  another,  the  two  should  be  convertible. 


Mi — >  M' 

M  ^ 

rcTi 

M 

M'  i — y  M 

M  < - y  M' 

M'  < — ►  M" 

« 

I 

- trans  - red 

M  < — ,  M"  M  < — ^  M' 

The  representation  in  Elf  is  a  direct  transcription. 

<->  :  term  ->  term  ->  type.  Xinfix  none  10  <-> 

Xname  <->  C 


refl  :  M  <->  M. 

sym  M  <->  M’ 

->  M’  <->  M. 

trans:  M  <->  M’ 

->  M'  <->  M” 
->  M  <->  M’ ’ . 


red  :  M  — >*  M’ 

->  M  <->  M’ . 

The  Church- Rosser  theorem  [CR36]  now  states  that  if  M  < — ►  M'  then  there  exists  some  .V 
such  that  M  — N  and  M'  — N .  We  are  taking  the  liberty  of  simply  using  a  judgment  J  to 
stand  for  the  meta-language  proposition  “7  is  derivable”  or  “7  is  evident”.  We  hope  that  this  will 
not  lead  to  any  confusion  on  the  part  of  the  reader.  The  Church-Rosser  theorem  is  also  described 
by  the  following  diagram. 

M- - ►M' 

■\  y 

N 

The  solid  lines  indicate  that  a  certain  relation  is  assumed,  the  dotted  line  means  that  the 
existence  of  the  relation  is  asserted.  Instead  of  ♦  we  use  a  double-headed  arrow  to  indicate  multi- 
step  reductions.  We  will  usually  label  the  lines  with  a  variable  for  deductions  of  the  corresponding 
judgment.  The  Church-Rosser  theorem  is  then  more  explicitly  described  by  the  following  diagram. 
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M  - - ^ - -M' 

R--._  /R'' 

\  / 

N 

As  a  warm-up  exercise  we  prove  a  few  lemmas  about  the  multi-step  reduction  relation  and  give 
the  representation  of  these  proofs  in  Elf.  First  we  would  like  to  show  that  multi-step  reduction  is 
transitive.  In  general  we  use  the  notation  D  ::  J  to  express  that  D  is  &  deduction  of  the  judgment 
J.  Tn  this  particular  example,  R  ::  M  — ►  M'  can  be  read  as  R  is  a  reduction  from  M  to  M',  and 
similarly  for  R“  ::  M  — ►*  M'.  Note  that  the  existence  of  an  explicit  notation  for  deductions  gives 
us  an  explicit  notation  for  reductions,  sequences  of  reductions,  and  conversions.  We  generally  use 
R  and  5  to  range  over  (single-step)  reductions,  R"  and  5*  to  range  over  multi-step  reduction,  and 
C  to  range  over  conversion.  Each  of  these  thus  ranges  over  deductions  of  particular  judgments. 

Lemma  1  (Transitivity  of  — »*)  If  M  — ►'  M'  and  M'  — ►*  M"  then  M  — M" . 

Proof:  The  proof  is  by  induction  over  the  structure  of  iZ*  M  — ►*  M' .  We  will  provide  an 
explicit  description  of  a  method  for  constructing  5"  ::  M  — M"  given  R*  and  5*  ::  M'  — •  M” . 

Case: 

o*  —  — — — —  idj 

R  =  M  M 

By  assumption  we  have  a  deduction  5*  ::  M'  — M"  and  M  =  M' .  Thus  5*'  =  S'  :: 
M  — ►*  M"  is  sufficient  to  prove  the  lemma  in  this  case. 

Case: 


R\  R^ 

^  M  Ml  Ml  — M' 

- stepi 

M  — »•  M' 

By  the  induction  hypothesis  on  R\  and  5*  there  exists  a  deduction  ::  Mi  — M" . 

Applying  the  rule  stepj  to  Ri  and  5^'  then  yields  the  desired  deduction  of  M  — *  M” . 

□ 

We  represent  the  algorithmic  content  of  this  proof  as  a  judgment  which  relates  the  three  de¬ 
ductions  involved,  R*  ::  M  — ►’  M',  S’  M'  — ‘  M",  and  S”  ::  M  — «•  M’' .  This  judgment  is 
then  encoded  in  Elf  as  a  type  family 

appd  :  M  -->*  M’  ->  M’  — >♦  M”  ->  M  -->*  H”  ->  type. 

such  that  whenever  there  exists  a  closed  object  of  type  appd  R*  S*  S*'  then  S*’  represents  the 
reduction  sequence  generated  by  applying  the  algorithm  which  is  implicit  in  the  proof  above  to  R* 
and  S*.  A  moment’s  reflection  reveals  that  this  algorithm  does  nothing  but  append  the  reduction 
sequences  R'  and  S'.  Note  that  we  use  the  a  Lft-pointing  arrow  in  notation  inspired  by  logic 
programming  in  order  to  emphasize  the  computational  nature  of  the  rules.  Semantically,  there  is 
no  difference  between  A  ->  B  and  B  <-  A. 


Reduction  and  Conversion 
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appd.id  :  appd  idl  S*  S*. 

appd.step  :  appd  (stepl  R1  R2*)  S*  (stepl  R1  S2*’) 

<-  appd  R2*  S*  S2*’. 

Term  reconstruction  (which  includes  type-checking)  of  these  declarations  guarantees  that  re¬ 
duction  sequences  are  composed  only  when  this  is  sensible,  that  is,  the  result  of  one  reduction 
sequence  is  the  starting  point  of  another.  However,  type-checking  does  not  guarantee  is  that  appd 
is  total  in  its  first  two  arguments.  This  is  the  responsibility  of  schema-checking  which,  in  essence, 
checks  that  the  judgment  is  primitive  recursive  in  some  argument  and  must  therefore  be  total.  The 
implementation  of  schema- checking  is  currently  still  incomplete  and  must  be  carried  out  by  hand. 
Automation,  that  is,  the  mechanical  construction  of  representations  of  proofs  such  as  the  one  above 
is  subject  of  current  research — for  now  we  concentrate  merely  on  the  representation  of  deductions 
found  first  by  informal  reasoning. 

We  summarize  the  basic  principles.  A  proof  by  induction  over  the  structure  of  a  deduction 
is  represented  as  a  higher-level  judgment  which  relates  deductions.  Each  case  in  the  proof  by 
induction  corresponds  to  an  inference  rule  defining  the  higher-level  judgment.  An  appeal  to  the 
induction  hypothesis  manifests  itself  in  the  premiss  of  such  an  inference  rule.  The  judgment  and 
inference  rules  are  then  translated  into  Elf  using  the  familiar  judgments-as-types  principle.  The 
resulting  signature  can  be  executed  as  a  logic  program  to  exhibit  the  computational  content  of  the 
original,  informal  proof. 

The  next  lemma  shows  that  multi-step  reduction  is  a  congruence.  An  inference  rule  is  admissible 
if  any  (ground)  instance  of  the  rule  is  derivable. 

Lemma  2  (Congruence  of  — ►’)  The  rules  ImJ,  aplj,  and  apcj  below  are  admissible  rules  of  infer¬ 
ence. 


M  M'  ,  ^  ^2  — ** 

- Im,  - apl,  - aprj 

Ai.  M  Ai.  M'  Ml  M2  Ml'  M2  Ml  M2  — *  Mi 

Proof:  The  proof  in  each  case  is  by  induction  over  the  structure  of  the  derivation  R“  of  the  premiss. 
We  explicitly  construct  a  deduction  5*  of  the  conclusion.  The  basic  idea  is  to  distribute  the  use.s 
of  the  the  congruence  to  all  the  single-step  reductions  which  make  up  the  multi-step  reduction. 
We  show  the  proof  only  for  the  rule  ImJ.  The  others  are  very  similar  and  we  directly  give  the 
representation  of  the  argument  in  Elf. 

Case: 


pm  _  idl 

"  =  M  M 

Then  Ai.  M  — *•*  Aa:.  M  also  by  the  identity  rule  idi 
Case: 


Ri 

_  M  — ►  Ml 


Ml  M' 


M  M' 


step, 
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From  the  induction  hypothesis  on  R^  we  know  there  exists  a  deduction  E]  ::  Xx.  Mi  — 
Ai.  M'.  We  thus  construct: 


5*  = 


M  Ml 

- Imi 

Xx.  M  — ^  Ax.  Ml 


Xx.  M  — ► 


S2 

Xx.  Ml  Xx.  M' 


Xx.  M' 


stepi 


□ 


The  main  difficulty  in  the  representation  of  these  lemmas  is  the  bound  variable  in  the  case  of 
the  A-congruence.  As  before,  we  represent  the  premiss  as  a  function  from  a  term  A  to  a  deduction 
which  shows  that  [N/x]M  — [iV/i]M'.  This  reflects  that  the  premiss  is  a  parametric  judgment. 

Iml*  :  (-Cirterm}  H  x  — >*  M’  x) 

->  (lam  M)  — >•  (lam  M’) 

->  type. 

lml*_id  :  1ml*  ([x:term]  idl)  idl. 

lml*_stap  :  1ml*  (Cx:term]  atepl  (R1  x)  (R2*  x))  (stepi  (1ml  Rl)  S2*) 

<-  imi*  R2*  S2*. 

apll*  :  Ml  — >*  Ml’ 

->  (app  Ml  M2)  — >*  (app  Ml’  M2) 

->  type. 

apll*_id  :  apll*  idl  idl. 

apll*_step  :  apll*  (stepi  Rl  R2*)  (stepi  (apll  Rl)  S2*) 

<-  apll*  R2*  S2*. 

aprl*  :  M2  — >*  M2’ 

->  (app  Ml  M2)  — >*  (app  Ml  M2’) 

->  type. 

aprl*_id  :  aprl*  idl  idl. 

aprl*_step  :  aprl*  (stepi  Rl  R2*)  (stepi  (aprl  Rl)  S2*) 

<-  aprl*  R2*  S2*. 


4  Parallel  Reduction  and  Conversion 

The  main  tool  in  this  proof  of  the  Church-Rosser  theorem  is  the  notion  of  parallel  reduction,  usually 
referred  to  as  the  Tait/Martin-L6f  method  (see  [BarSO]).  We  write  M  =>  M'  for  M  reduces  in 
parallel  to  M' .  Parallel  reduction  is  useful,  since  it  will  satisfy  the  so-called  diamond  property  which 
is  depicted  in  the  following  diagram. 


Parallel  Reduction  and  Conversion 
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M 

M'  M" 

N 

A  similar  diagram  holds  for  ordinary^  mu/h-sfep  reduction  — ►*,  but  not  for  the  ordinary  single- 
step  reduction  — ►.  The  idea  behind  parallel  reduction  is  that,  besides  contracting  a  redex,  we 
can  also  reduce  the  terms  involved  in  the  redex  at  the  same  time.  Furthermore,  the  congruence 
rule  for  application  is  generalized  so  we  can  perform  reduction  in  both  branches  in  parallel.  A 
possible  reduction  may  or  may  not  be  peformed,  which  means  that  in  the  extreme  we  should  allow' 
M  =>  M.  In  a  slight  departure  from  previously  published  proofs  we  assume  this  for  variables 
only.  This  simplifies  some  of  the  case  analyses  later  on,  but  does  not  have  a  deep  impact  on  the 
structure  of  the  proofs. 

Ml  =>  M{  M2  =>  Mi 

- beta 

(Ax.  Ml)  M2  =>  [Myx]M[ 

Ml  =>  M[  M2  =>  M2 

- ap 

Ml  M2  ==►  Ml'  Mi 
M  =>  M' 

- Im 

Ax.  M  =>  Ax.  M' 


var 


X 


X 


Thus  parallel  reduction  can  take  bigger  steps  than  ordinary  reduction.  One  has  to  keep  in  mind, 
however,  that  the  ordinary  definition  of  a  normal  form  (a  term  M  such  that  there  does  not  exist 
an  M'  such  that  M  — ►  M')  must  be  modified  for  parallel  reduction,  since  every  term  reduces  to 
itself.  Under  parallel  reduction  a  term  is  in  normal  form  if  it  only  reduces  to  itself.  .As  an  example 
for  parallel  reduction,  we  reconsider  an  earlier  term. 


var 


X  X 


X  X 


(Ax.  I  x)  =>  (Ax.  X  x) 


var 

ap 

Im 


var 


var 


y 


y 


Ay.  y  =>  Xy.  y 


Im 


Ax.  X 


Ax.  X 


((Ay.  y)  (Ax.  x))  =>■  (Ax.  x) 


(Ax.  X  x)  ((Ay.  y)  (Ax.  x))  =>  (Ax.  x)  (Ax.  x) 


beta 


Im 

beta 


The  representation  of  parallel  reduction  is  again  as  a  type  family,  indexed  by  two  objects. 

^In  order  to  distinguish  reduction  as  introduced  in  the  previous  section  we  will  often  iefer  to  it  as  ordinary 
reduction.  In  the  diagrams  we  will  not  explicitly  distinguish  between  parallel  and  ordinary  reduction,  but  it  should 
be  clear  from  the  context  which  form  of  reduction  is  depicted. 
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»>  :  term  ->  term  ->  type.  Xinfiz  none  10  => 

Xname  »>  R 


The  first  problem  one  encounters  when  considering  the  representation  of  the  inference  rules  is  the 
rule  for  variables.  Recall  that  variables  of  the  untyped  A-calculus  are  represented  by  meta- variables 
and  that  we  thus  do  not  have  explicit  constructors  for  them  we  could  match  against.  This  is  a 
frequent  problem  when  dealing  with  higher-order  abstract  syntax.  The  solution  is  generally  to 
extend  the  judgment  we  are  defining  by  hypotheses.  That  is,  while  deriving  Mi  M[  we  are 
allowed  to  use  the  hypothesis  x  =>  x.  The  following  formulation  of  the  rule  comes  closer  to  the 
Elf  implementation. 

- u 


X 


X 


R 

Ml  =>  M[  M2  =>  Mfi 

(Ax.  Ml)  M2  =>  [Myx]M'i 


The  label  u  on  the  inference  rule  beta"  indicates  that  the  assumptions  labelled  u  are  discharged 
at  this  inference  and  not  available  elsewhere  in  the  deduction.  This  is  the  essence  of  the  notion 
of  hypothetical  judgment  (see,  for  example,  [ML80]).  We  represent  the  deduction  R  of  the  (hypo¬ 
thetical)  judgment  in  the  left  premiss  as  a  function  whose  first  argument  is  a  term  x  and  whose 
second  argument  is  a  deduction  u  of  x  x.  Applying  this  function  to  a  term  N  and  a  deduction 
S  ::  N  N  yields  a  deduction  of  [N/x]M  =»  [N/x]M'.  This  deduction  is  obtained  by  substi¬ 
tuting  N  for  X  in  ii  and  then  substituting  the  deduction  S  ::  N  =>•  N  at  each  place  the  hypothesis 
X  =>  X  labelled  u  is  used  in  R. 


beta  :  ({x:tarm}  x  ®>  z  ->  Ml  x  *>  Ml’  x) 

->  M2  *>  M2’ 

->  (app  (lam  Ml)  M2)  »>  Ml’  M2’. 

We  use  the  same  technique  in  the  Im  rule;  we  need  to  assume  the  appropriate  var  reduction  wherever 
a  variable  is  introduced. 


Im  :  ({xrterm}  x  =>  x  ->  M  x  »>  M’  x) 

->  lam  M  »>  lam  M’ . 

The  rule  for  application  does  not  require  a  hypothetical  judgment. 

ap  Ml  »>  Ml’ 

->  M2  ->  M2’ 

->  (app  Ml  M2)  »>  (app  Ml’  M2’). 

These  three  rules  complete  the  signature  for  parallel  reduction.  The  deduction  above  can  be 
generated  by  the  Elf  interpreter,  which  is  complete  for  (single-step)  parallel  reduction. 

?-  R  :  (app  (lam  [x]  (app  x  x))  (app  (lam  [y]  y)  (lam  [z]  z)))  =>  M’ . 

Solving. . . 

M’  ■  app  (lam  (Cx:term]  x))  (lam  ([x:tarm]  x)). 

R  *  beta  (Cx:term]  CR:x  *>  x]  ap  R  R) 

(beta  ([xrterm]  CR:x  =>  x]  R)  (Im  ([x-.term]  [R:x  ®>  x]  R))). 


Parallel  Reduction  and  Conversion 
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As  this  example  demonstrates,  parallel  reduction  is  not  yet  sufficient  to  reduce  terms  to  normal 
form,  since  a  parallel  reduction  can  introduce  new  redices.  We  generate  sequences  of  parallel 
reductions  as  before. 


M 


M 


id 


M 


M' 


M'  =►*  M" 


M 


>•  M" 


step 


We  represent  the  step  rule  by  an  infix  semi-colon  to  simplify  writing  down  and  reading  sequences 
of  pajallel  reductions. 

=>*  :  term  ->  term  ->  type.  Xinfix  none  10  =>* 

Xname  =>*  R* 


id  M  »>*  M. 

;  :  M  »>  M’ 

->  M’  »>*  M" 

->  M  »>*  M’’.  Xinfix  right  10  ; 

Once  again,  this  is  insufficient  as  a  program  to  enumerate  parallel  reduction  sequences  in  a  complete 
fashion.  Using  these  declaration,  we  can  check  that 

(beta  ([x:term]  CR:x  *>  x]  ap  R  R) 

(beta  (Cx:term]  CR:x  »>  x]  R)  (Im  ([x:term]  CR:x  *>  x]  R))) 

;  beta  ([x]  [R]  R)  (Im  [x]  [R]  R) 

;  id)  :  M  *>*  M' 

and  obtain  the  answer 


M  3  app  (lam  ([x:term]  app  x  x)) 

(app  (lam  ([xrterm]  x))  (lam  ([x:term]  x})), 
M’  =  lam  ([x:term]  x) . 


That  is,  we  can  reach  a  normal  form  in  two  parallel  reduction  steps. 

Finally,  we  define  a  notion  of  parallel  conversion.  This  can  be  defined  as  the  congruence  closure 
of  parallel  reduction,  but  we  will  define  it  in  a  slightly  different  way  to  illustrate  alternatives.  The 
judgment  is  written  as  M  <=>  M'. 


M  =!>*  M'  . 

- reduce 

M  ^  M' 


M  =>•  M' 
M'  M 


expand 


M  M'  M'  M" 
M  M" 


comp 


In  the  Elf  implementation  we  use  ; ;  as  an  infix  notation  for  composition. 

<»>  :  term  ->  term  ->  type.  Xinfix  none  10  <=> 

Xname  <*>  C 


reduce  :  M  »>*  M’ 
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->  M  <»>  M’ . 

expaoxd  :  M  ■>•  M’ 

->  M’  <«>  M. 


:  M  <*>  M' 

->  M’  <»>  M” 

->  M  <*>  M”  .  %infiz  none  8  ;; 

Again,  as  a  simple  lemma  we  prove  an  earlier  remark,  namely  that  every  term  reduces  to  itself 
under  parallel  reduction. 

Lemma  3  (Reflexivity  of  =^)  For  any  term  M,  M  =>  M . 

Proof:  The  proof  is  by  induction  on  the  structure  of  M. 

Case:  M  =  i.  In  this  case  we  apply  the  var  rule. 

Case:  M  =  Ax.  Mi.  By  induction  hypothesis  there  exists  an  Ri  ::  Mi  =>  Mi.  Applying  the  Im 
rule  to  iZi  yields  a  deduction  of  Ax.  Mi  Ax.  Mi. 

Case:  M  =  Mi  Mj.  By  induction  hypothesis  on  Mi  and  M2  there  are  deductions  Ri  Mi  =>  Mi 
and  R2  ::  =>  M2.  Application  of  the  ap  rule  yields  the  desired  conclusion. 

□ 

In  the  implementation,  as  in  a  previous  example,,  there  will  be  no  uniform  case  for  variables. 
Instead,  the  appropriate  reduction  rule  is  assumed  whenever  a  parameter  is  introduced.  For  stylistic 
reasons,  we  make  M  explicit  as  an  argument,  since  it  is  the  induction  variable. 

identity  :  {M:term}  M  =>  M  ->  type. 

id.lam  :  identity  (last  Ml)  (Isi  RI) 

<-  {x:tenn}  {eqx:  x  =>  x} 

identity  x  eqx  ->  identity  (Ml  x)  (RI  x  eqx) . 

id.app  :  identity  (app  Ml  M2)  (ap  RI  R2) 

<-  identity  Ml  RI 
<-  identity  M2  R2. 

A  second  lemma  shows  that  multi-step  parallel  reduction  is  transitive. 


Lemma  4  (Transitivity  of  =>*)  The  following  is  an  admissible  rule  of  inference. 


M'  =»*  M" 


M  =>*  M" 


append 


Proof:  By  induction  on  the  structure  of  the  reduction  R”  ::  M  =>*  M'.  In  each  case  we  assume  a 
deduction  5*  ::  M'  =^*  M"  and  construct  a  deduction  5*' ::  M  =>  M".  The  proof  is  implemented 
as  a  family 
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append  :  M  »>*  M’  ->  M'  *>*  H"  ->  M  »>*  M”  ->  type. 

Case:  R*  is  the  identity.  Then  M'  =  M  and  we  can  let  5*'  =  5*. 
append.id  :  append  id  S*  S*. 

Case:  R*  ends  in  a  reduction  step,  that  is, 

R\  R^ 

jl-  ^  M  =>  Ml  Ml  =>•  M' 

- step 

M  M' 

Then  we  apply  the  induction  hypothesis  to  R^  and  5*  to  obtain  a  deduction  S^'  ::  M\  ==>"' 
M".  We  add  the  step  Ri  to  the  beginning  of  5^'  to  obtain  5*'.  In  Elf: 

append.step  :  append  (Rl  ;  R2*)  S*  (Rl  ;  S2*’) 

<-  append  R2*  S*  S2*’. 

Recall  that  the  infix  semi-colon  is  our  notation  for  the  rule  step. 

□ 


5  The  Proof  of  the  Church-Rosser  Theorem 

The  proof  of  the  Church-Rosser  Theorem  proceeds  via  a  sequence  of  lemmas.  The  first  important 
property  is  the  substitution  lemma,  which  is  crucial  in  the  later  proof  of  the  diamond  property. 
In  fact,  it  is  the  substitution  lemma  which  motivates  the  notion  of  parallel  reduction.  We  make 
the  reductions  explicit  in  the  formulation  of  the  lemma  to  simplify  the  correspondence  to  the 
implementation.  Another  mechanical  verification  of  the  Church-Rosser  theorem  was  carried  out  by 
Shankar  [Sha88]  using  the  Boyer-Moore  theorem  prover  [BM79].  Shankar’s  proof  used  de  Bruijn's 
representation  for  term  of  the  A-calculus  [dB72];  here  we  try  a  perhaps  more  direct  route  using  the 
idea  of  higher-order  abstract  syntax.  We  hope  that  this  provides  a  good  basis  for  comparison  of 
representation  and  proof  techniques  in  different  systems. 

Lemma  5  (Substitution  Lemma)  If  R  ::  M  =>  M'  and  S  N  =>  N'  then  there  exists  au 
R'  ::  [Nlx]M  =>  [N'lx]M'. 

We  will  intersperse  the  implementation  of  the  proof  with  the  proof  itself.  First  note  that  R 
above  is  (implicitly)  a  parametric  and  hypothetical  judgment:  it  contains  the  free  variable  x  and 
may  appeal  to  the  hypothesis  that  x  =>  x.  Putting  this  together  with  the  idea  that  substitution  is 
representated  via  /3-reduction  at  the  meta-level  (recall  compositionality:  '”[iV/x]M''=  f^.'V''/x]''.V/^) 
yields  the  declaration 

subst  :  ({x:tenD>  x  »>  x  ->  M  x  *>  M’  x) 

->  M  ->  M' 

->  M  M  »>  M’  N’ 

->  type. 

Proof:  (of  the  Substitution  Lemma)  The  proof  is  by  induction  on  the  structure  of  R. 
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Case: 


In  this  case,  where  M  =  i,  we  have  to  show  that  there  exists  a  derivation  R'  of  [N/x]x  => 
[N' lx\x.  But  [iV/x]x  =  N  and  [N' lx]x  =  N*  so  we  can  let  R'  be  S. 

In  Elf,  this  case  manifests  itself  as  an  appeal  to  the  hypothesis  idx  :  x  »>  z  which  is  an 
explicit  parameter  in  the  first  argument  to  subst. 


subst.idz  :  subat  (Cxrtarm]  [idx:  x  »>  x]  idx)  S  S. 

Case: 


R  = 


- var 

y  y 


and  y  X.  In  this  case  [iV/x]y  =  y  =  [N*/x]y  and  we  can  let  R'  =  R. 

This  case  is  represented  as  an  assumption  about  the  behavior  of  subst  on  the  hypothesis 
that  y  *>  y,  wherever  such  a  hypothesis  is  introduced.  This  is  necessary  in  the  case  of  a 
/^-reduction  and  a  A-congruence,  that  is,  for  the  rules  beta  and  Im. 

Case:  The  last  inference  is  a  /3-reduction,  that  is. 


Ri  R2 

^  _  Ml  ==>  M{  M2  ==>•  M2 

- - - ; —  beta. 

(Ax.  Ml)  M2  =>  (M^/a:]M{ 

In  this  case  we  apply  the  induction  hypothesis  to  Ri  to  obtain  a  deduction  R\  ::  [A^/x]Mi  => 
[iV'/x]M(  and  to  R2  to  obtain  a  deduction  R2  "  [N/x]M2  =>  [N'/xjM^.  Combining  these 
with  the  beta  rule  yields  a  deduction 

R' {[N/x]Mi)  i[N/x]M2)  =>  {{N'/x]M[)  ([iV'/xjM'). 

Using  the  equation  ([jV/x]Mi)  ([iV/x]M2j  =  [jV/x](Mi  M2)  from  the  definition  of  substitution 
and  a  similar  equation  for  the  right-hand  side  reveals  that  R'  is  a  deduction  of  the  required 
judgment. 

Note  how  in  the  realization  of  this  case  in  Elf,  we  make  the  appropriate  assumption  about 
the  behavior  of  subst  on  the  hypothesis  that  y  reduces  to  y. 


subst.beta  :  subst  ([x:tenii]  [idx:  x  =>  x]  beta  (RI  x  idx)  (R2  x  idx)) 

S  (beta  RI’  R2’) 

<-  ({y:tenn>  <idy:  y  »>  y} 

subst  (Cx:term]  [idx:  x  •>  x]  idy)  S  idy 
->  subst  ([x:term]  [idx:  x  »>  x]  RI  x  idx  y  idy) 

S  (RI’  y  idy)) 

<-  subst  R2  S  R2’. 


Also  note  that  both  premisses  are  again  hypothetical  judgments,  that  is,  they  also  may  contain 
z  free  and  may  use  the  rule  x  ■>  x. 
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Case:  R  ends  in  the  congruence  for  application,  that  is, 

R\  R2 

^  ^  Ml  =>  M{  M2  =>  M!i 

- ap 

Ml  M2  =>  M[  M!i 

In  this  case  we  simply  apply  the  induction  hypothesis  to  Ri  and  R2  and  combine  the  resulting 
deductions  R\  and  R'^  with  the  ap  rule. 

subst.ap  :  aubst  ([x:tenn]  [idx:  x  *>  x]  ap  (Rl  x  idx)  (R2  x  idx)) 

S  (ap  Rl’  R2’) 

<-  subst  Rl  S  Rl’ 

<-  subst  R2  S  R2’. 


Case:  R  ends  in  the  congruence  for  A. 


Rl 

Ml  ==»  M[ 


Ax.  M 


Ax.  M' 


This  case  is  similar  to  the  case  for  beta:  we  apply  the  induction  hypothesis  to  Ri  to  obtain 
an  R\  and  then  use  the  Im  rule  to  obtain  the  desired  conclusion.  In  this  case  we  need  to  know 
that  [iV/x](Ay.  M)  =  Ay.  [N/x]M  which  is  valid  by  the  implicit  assumption  that  y  is  distinct 
from  X  and  different  from  all  variables  free  in  N. 

Just  as  in  the  subst.bsta  rule,  we  need  to  make  an  assumption  about  the  behavior  of  subst 
on  the  hypothesis  that  y  ■>  y  according  to  the  case  for  variables  y  ^  x  given  above. 

subst.lm  :  subst  ([x:tenn]  [idx:  x  ■>  x]  Im  (Rl  x  idx)) 

S  (Im  Rl’) 

<-  ({y:term}  {idy:  y  ■>  y} 

subst  (Cx:t«rm]  [idx:  x  ■>  x]  idy)  S  idy 
->  subst  ([x:term]  [idx:  x  *>  x]  Rl  x  idx  y  idy) 

S  (Rl’  y  idy)). 


This  completes  the  proof  of  the  substitution  lemma.  The  next  important  property  is  the  so- 
called  diamond  lemma  which,  in  this  case,  concerns  single-step  parallel  reduction. 

Theorem  6  If  R*  ::  M  =>  M'  and  R"  ::  M  M"  then  there  exists  an  N  and  reductions 
S'  ::  M'  =>  N  and  S"  ::  M"  =>  N.  In  the  form  of  a  picture: 


4 


0 
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Proof:  The  proof  is  by  simultaneous  induction  on  the  structure  of  R'  and  R".  It  is  implemented 
as  a  type  family 

dia  :  M  »>  M’  ->  M  =>  M”  ->  M'  »>  N  ->  M"  »>  N  ->  type. 

such  that  there  will  be  an  object  of  type  dia  R’  R”  S*  S*’  whenever  the  construction  in  the 
proof  yields  S'  and  5"  from  R'  and  R".  In  this  proof  we  will  informally  apply  inference  rules  to 
deductions  of  the  premisses  to  indicate  the  shape  of  a  given  reduction.  We  also  heavily  use  inversion 
in  this  proof.  Inversion  in  this  context  means  that,  given  the  form  of  a  conclusion,  we  examine 
all  available  inference  rules  and  eliminate  those  from  consideration  which  could  not  produce  a 
conclusion  of  the  given  form.  For  example,  if  the  conclusion  has  the  form  M\  M2  =>  iV  for  some 
Ml,  M2,  and  N ,  we  know  that  the  last  inference  must  either  be  beta  or  ap,  but  it  could  not  be  Im 
or  var.  Using  inversion  it  is  easy  to  see  that  the  cases  we  consider  below  are  exhaustive. 

Case: 


o'  -  - 

Since  M'  =  M  =  x,  we  know  by  inversion  that  also  M"  =  x  and  R"  =  f?'  =  var.  Hence  we 
can  let  yV  =  I  and  complete  the  diagram. 


\  0* 


X 

As  usucd,  this  case  will  not  be  represented  explicitly  in  the  Elf  program,  but  folded  into  the 
cases  where  parameters  are  introduced. 

Case: 


i?"  = 


•  var. 


This  is  same  as  the  previous  case,  since  by  inversion,  Rf  =  R"  in  this  case. 
Case:  Both  R'  and  R"  end  in  an  application  of  (parallel)  /?- reduction. 


R' 

^  Ml  ^ 


R'2 

M2  =!►  M4 


and 


(Ai.  Ml)  M2  .-=►  [M^/x]M{ 

O" 

/t|  It2 

jf!'  _  Ml  =>  M"  M2  ■==>  M2 

{Xx.  Ml)  M2  =>  [M^fx]M[' 


beta 


beta. 
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Note  that  this  case  is  not  trivial,  since  M'  =  may  be  different  from  M"  = 

[M2  /xjMi-  By  two  applications  of  the  induction  hypothesis  we  obtain  the  following  dia¬ 


grams. 


iVi 


Now  the  substitution  lemma  on  S[  and  5^  yields  an  S'  ::  [Mj/ijMi  =>  [iV2/T]iVi.  Similarly, 
the  substitution  lemma  on  5"  and  S'2  yields  an  5"  ::  [M^' =>  [N2/x]N\  and  we  can 
fill  in  the  diagram: 


(Ax.  Ml)  M2 


beta(/i;,i?'2)  =  R' 


R"  =  \ieU{R'{,R'.^) 


[M^/x]M{  [M^7x]M" 

S''--.  .--'S" 

\ 

[N2lx]N^ 


The  implementation  of  this  case  is  complicated,  since  we  need  to  make  the  assumption  that 
X  reduces  to  itself,  and  how  dia  behaves  on  this  assumed  reduction.  This  assumption  incor¬ 
porates  the  case  for  variables  above. 


dia.bb  :  dia  (beta  Rl’  R2’)  (beta  Rl”  R2”)  S’  S” 
<-  ({x:term>  {idx:  x  =>  x} 
dia  idx  idx  idx  idx 
->  dia  (Rl’  X  idx)  (Rl”  x  idx) 

(SI’  X  idx)  (SI”  X  idx)) 

<-  dia  R2’  R2’  ’  S2’  S2” 

<-  subst  SI’  S2’  S’ 

<-  subst  SI”  S2”  S”  . 


Note  that  one  would  get  a  type-checking  error  if  the  various  reductions  did  not  share  a  source 
or  target  as  required  by  the  diagrams,  including  the  check  on  the  substitution  conditions. 


Case:  The  reduction  R'  is  a  /3-reduction  and  R"  is  an  application  of  the  congruence  rule  ap.  Then 


R'  = 


Ml 


fl'i  R'2 

=>  M{  Mj  =>  M'2 


(Ax.  Ml)  M2  =>  [M^/x]M( 


beta 
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and 

Ri  R'i 

jfii  _  (Ai.  Ml)  Ml  M2  M2 

- ap. 

(Ai.  Ml)  M2  ==>•  Ml  M^' 

By  inversion,  we  see  that  Ri  must  end  in  an  application  of  the  A-congruence  rule  Im,  since 
this  is  the  only  rule  which  reduces  a  term  of  the  form  Ax.  Mi.  Thus  Mi  =  (Ax.  M")  and 


R'{ 

Ml  =>  Ml" 


R"  = 


(Ax.  Ml)  =>  Ax.  Mi' 


Im 


M2 


R'i 


M'{ 


(Ax.  Ml)  M2  =►  (Ax.  Mi')  Mi' 


ap. 


Now  we  can  apply  the  induction  hypothesis  twice  to  obtain: 


Mi 


Mi'  Mi 


Mi' 


iVi 


iV2 


By  the  substitution  lemma  there  is  an  S'  ::  [Mi/x]Mi  =»  [N2/x]Ni.  Furthermore,  we  can 
apply  the  (3  rule  to  5"  and  S'2  to  obtain  a  5"  ::  (Ax.  M")  Mi'  [-N2/a:]A^i  to  complete  the 
diagram. 

(Ax.  Ml)  M2 


beta(i2i,  iZ'j)  = 

[Mi/x]Mi 


\R"=:ap(lm(i?','),f2'2') 
(Ax.  Ml")  Mi' 


.••■5"  =  bcta(5i',5i') 
[N2/x]Ni 


Again,  in  the  implementation  we  have  to  assume  a  rule  about  the  variable  x. 


dia.bal  :  dia  (beta  RI’  R2')  (ap  (Im  Rl”)  R2’’) 
S’  (beta  SI”  S2”) 

<-  ({xrterm}  {idx:  x  ■>  x} 
dia  idx  idx  idx  idx 
->  dia  (Rl’  X  idx)  (Rl”  x  idx) 

(SI’  X  idx)  (SI”  X  idx)) 

<-  dia  R2’  R2”  S2’  S2” 

<-  subst  SI’  S2’  S’. 
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Case:  The  reduction  R'  is  an  application  congruence  cind  R"  is  a  /3  reduction.  This  is  dual  to  the 
previous  case. 

dia.alb  :  dia  (ap  (Im  Rl’)  R2’)  (beta  Rl"  R2”) 

(beta  SI’  S2’)  S” 

<-  (-Cirtann}  {idx:  x  »>  x} 
dia  idx  idx  idx  idx 
->  dia  (Rl’  X  idx)  (Rl”  x  idx) 

(SI’  X  idx)  (SI”  X  idx)) 

<-  dia  R2’  R2”  S2’  S2” 

<-  subst  SI”  S2”  S”. 


dia.aa  :  dia  (ap  Rl’  R2’)  (ap  Rl”  R2”)  (ap  SI’  S2’)  (ap  SI”  S2”) 
<-  dia  Rl’  Rl”  SI’  SI” 

<-  dia  R2’  R2”  S2’  S2”  . 
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Case:  In  the  final  case  both  sides  end  in  an  application  of  the  I m- congruence. 

^  ^  Ml  =»  Mi 

- Im 

Ax.  Ml  =:►  Ax.  Mi 


and 

R'{ 

fl»  ^  Ml  =►  Mi* 


Ax.  Ml  =>  Ax.  M" 

We  apply  the  induction  hypothesis  to  fill  in  the  following  diagram. 


Ni 

Now,  applying  the  congruence  to  the  resulting  reductions  and  Si'  we  complete  the  diagram. 

Ax.  Ml 

lm(  R'^ )  =  =  lm(  R'{) 

Ax.  Mi  Ax.  Ml" 

lm(5;)  =  S'--.,  y'S"  =  lm(5n 


Ax.  iVi 

Once  again,  assumptions  for  variables  need  to  be  made  here. 


dia.ll  :  dia  (Im  Rl’)  (Im  Rl”)  (Im  SI’)  (Im  SI”) 

<-  ({x:tenn>  {idx:  x  =>  x} 
dia  idx  idx  idx  idx 

->  dia  (Rl’  X  idx)  (Rl”  x  idx)  (SI’  x  idx)  (SI”  x  idx)). 


□ 

The  Elf  rules  given  in  the  proof  above  are  a  complete  implementation  of  the  proof:  whenever 
we  have  reduction  R'  ::  M  =>  M'  and  R"  ::  M  =>  M"  then  the  Elf  program  will  find  an  .V 
and  reductions  S'  ::  M'  =>  N  and  S"  ::  M"  =>  N  which  complete  the  diagram  according  to 
the  algorithm  which  is  implicit  in  the  proof.  Type-checking  the  signature  above  guarantees  weak 
form  of  correctness:  whenever  we  apply  dia  to  concrete  derivations  R'  and  R"  and  dia  terminates, 
then  we  can  read  off  a  valid  diagram.  The  process  of  schema-checking  guarantees  that  that  dia  is 
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total  in  its  first  two  arguments.  These  observations  together  verify  the  diamond  lemma.  Schema¬ 
checking  is  sketched  in  [PR92],  but  the  implementation  is  incomplete  and  most  of  it  still  has  to  be 
done  by  hand.  Other  non-trivial  examples  have  been  carried  out  using  the  methodology,  such  as 
a  verification  of  type  soundness  of  Mini-ML  [MP91]  and  a  compiler  from  Mini-ML  to  a  variant  of 
the  Categorial  Abstract  Machine  (CAM)  [HP92]. 

As  an  example  for  the  execution  of  the  Elf  program  above,  reconsider  the  term 

(Ai.  I  x)  ((Aj/.  y)  (Az.  z)) 

which  can  be  reduced  in  four  different  ways:  the  outer  redex,  the  inner  redex,  both,  or  neither. 
Thus,  the  following  query  wiU  enumerate  16  different  diagrams  (we  show  two).  Here  we  use  tlie 
special,  top-level  form  sigma  Cx:A]  B  to  stage  queries,  that  is,  solving  sigma  [x:A]  B  first  solves 
A,  binds  x  to  the  result  and  then  solves  B  under  this  binding.  This  operational  behavior  can  be 
simulated  in  Elf  without  this  special  form  of  query,  but  only  in  a  relatively  cumbersome  way. 


?-  sigma  [R’  :  (app  (lam  [x]  (app  x  x))  (app  (lam  [y]  y)  (lam  [z]  z)))  =>  M’] 
sigma  [R’’  :  (app  (lam  [x]  (app  x  x))  (app  (lam  [y]  y)  (lam  [z]  z)))  =>  M’’] 
dia  R’  R”  (S’  :  M’  =>  N)  (S”  ;  M”  =>  N)  . 

Solving . . . 

M’  *  app  (lam  (Cx:term]  x))  (lam  (Cx:turm]  x'j), 

M”  =  app  (lam  (Cx:term]  x))  (lam  ([xrterm]  x)), 

R’  *  beta  ([x:term]  CR:x  «>  x]  ap  R  R) 

(beta  (Cx:term]  [R:x  ='^  x]  R)  (Im  ([xtterrn]  CR:x  =>  x]  R))), 

R» »  =  beta  (Cx:term]  [R:x  =>  x]  ap  R  R) 

(beta  ([x:term]  [R:x  =>  x]  R)  (Im  ([x:term]  [R:x  =>  x]  R))), 

N  =  app  (lam  (Cx:term]  x))  (lam  ([xrterm]  x)), 

S’  =  ap  dm  ([x:term]  Cidx:x  =>  x]  idx))  (Im  ([x:term]  [idxrx  =>  x]  idx)), 

S’’  =  ap  (Im  ([x:term]  Cidx:x  =>  x]  idx))  (Im  ([xrterm]  [idxrx  =>  x]  idx)). 


M’  =  app  (lam  ([xrteim]  x))  (lam  ([xrterm]  x)), 

M’’  =  app  (app  (lam  ([xrterm]  x))  (lam  ([xrterm]  x))) 

(app  (lam  ([xrterm]  x))  (lam  ([xrterm]  x))), 

R’  =  beta  ([xrterm]  [Rrx  =>  x]  ap  R  R) 

(beta  ([xrterm]  [Rrx  =>  x]  R)  (Im  ([xrterm]  [Rrx  =>  x]  R))), 

R’ ’  =  beta  ([xrterm]  [Rrx  =>  x]  ap  R  R) 

(ap  dm  ([xrterm]  [Rrx  =>  x]  R))  (Im  ([xrterm]  [Rrx  =>  x]  R))), 
N  =  app  (lam  ([xrterm]  x))  (lam  ([xrterm]  x)), 

S’  =  ap  dm  ([xrterm]  [idxrx  =>  x]  idx))  (Im  ([xrterm]  [idxrx  =>  x]  idx)), 
S’  ’  = 

ap  (beta  ([xrterm]  [idxrx  =>  x]  idx)  (Im  ([xrterm]  [idxrx  =>  x]  idx))) 
(beta  ([xrterm]  [idxrx  =>  x]  idx)  (Im  ([xrterm]  [idxrx  =>  x]  idx))). 


The  next  step  in  the  proof  of  the  Church-Rosser 
in  the  following  diagram. 


theorem  is  the  strip  lemma  which  is  depicted 
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M 


M' 


M" 


Here,  R*"  and  5*'  stand  for  multi-step  parallel  reductions. 

Lemma  7  (Strip  Lemma)  If  R'  ::  M  =>  M'  and  R*"  ::  M  M"  then  there  exists  an  N  and 
reductions  S*' ::  M*  N  and  S’' ::  M"  =>  N . 

Proof:  By  induction  over  the  structure  of  R*".  The  proof  is  implemented  as  type  family  strip. 

strip  :  M  *>  M’  ->  M  ■>*  M”  ->  M’  »>*  N  ->  M”  »>  M  ->  type. 

Case:  R*"  is  the  identity  reduction.  Then  M"  =  M  and  we  can  let  N  be  M'. 


strip.id  :  strip  R’  id  id  R’ . 


Case:  R”"  ends  in  a  reduction  step. 

R'{ 

_  M  =>  Ml 

M 


nmll 

XL2 

M'l'  M" 

- step 

M" 


Now  we  can  appeal  to  the  diamor.  '.  lemma  on  R'  and  R'l  to  obtain  an  5^  and  5".  Ne.xt  the 
induction  hypothesis  on  S'{  and  R^'  completes  the  diagram. 


P 
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Recall  that  the  rule  step  was  written  as  an  infix  semi-colon. 


strip.step  :  strip  R>  (Rl*>  ;  R2*'’)  (SI’  ;  S2*’)  S” 
<-  dia  R’  Rl”  SI’  SI” 

<-  strip  SI”  R2*”  S2*’  S”. 


□ 


Now  we  can  prove  the  diamond  property  for  multi-step  reduction  which  we  call  confluence.  In 
the  literature  this  property  is  often  refered  to  as  the  Church-Rosser  theorem,  since  in  most  situations 
it  is  equivalent  to  the  property  of  conversion  actually  proved  in  [CR36]  (here:  Theorem  16). 


Lemma  8  (Confluence)  If  R"'  ::  M  =>*  M'  and  R*"  ::  M  ==>*  M"  then  there  exists  an  N  and 
reductions  S*' ::  M'  =»*  N  and  S*"  ::  M"  =^*  N. 


M 


M'  M" 


\  y 

N 


Proof:  By  induction  on  the  structure  of  iZ*'.  The  implementation  is  as  a  type  family  conf . 
conf  :  M  =>*  M’  ->  M  =>*  M”  ->  M’  =>*  N  ->  M”  =>♦  N  ->  type. 


Case:  R‘'  ends  in  the  identity.  Then  M'  =  M  and  we  can  let  N  be  M"  to  fill  the  diagram. 


M 


M" 


conf .id 


:  conf  id  R*  ’  ’  R*  ”  id . 
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Case:  ends  in  a  reduction  step  R[  followed  by  R^'.  Then  we  apply  the  strip  lemma  and  then 

the  induction  hypothesis  on  R2  to  fill  in  the  diagram. 


M 


M'  Ni 


conf.step  :  conf  (Rl’  ;  K_  ')  R*’»  S*’  (SI”  ;  S2*”) 
<-  strip  Rl’  R*”  SI*’  SI” 

<-  conf  R2*’  SI*’  S*’  S2*”. 


Finally  we  are  ready  to  prove  the  Church- Rosser  theorem  for  parallel  conversion  and  reduction. 

Theorem  9  (Church- Rosser)  If  M  ■<=>  M'  then  there  exists  a  term  N  and  reductions  S' 

M  N  and  S'' M'  =>'  N 


M- - ^ - -M' 


Proof:  By  induction  over  the  structure  of  C  M  ■i=>  M' .  The  proof  is  implemented  as  a  family 
cr  :  M  <*>  M’  ->  M  =>*  M  ->  M’  =>*  N  ->  type. 

Case:  C  is  a  reduction  R'  ::  M  =>'  M'.  Then  we  let  N  be  M' . 

M  .  .M’ 

R'-.  .••id 

\ 

M' 

cr.reduce  :  cr  (reduce  R*)  R*  id. 


Case:  C  is  a  reduction  R'  ::  M'  ==>'  M .  Then  we  let  N  be  M. 

M  .  M' 
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cr.ezpand  :  cr  (expand  R*)  id  R*. 

Case:  C  is  a  composition  of  conversions.  This  is  the  interesting  case. 

Cl  C2 

M  M"  ^  M' 

- comp 

M  <=^M' 

Then  we  apply  the  induction  hypothesis  to  C\  and  (72,  followed  by  an  appeal  to  confluence 
and  the  transitivity  of  parallel  multi-step  reduction. 


N 

The  Elf  code  makes  the  call  to  the  transitivity  lemma  explicit  which  is  only  implicit  in  the 
diagram  (we  need  to  append  the  reduction  sequence  5i  and  Tj’  on  the  left,  and  5^  and  To 
on  the  right). 

cr.compose  :  cr  (Cl  ;;  C2)  S*  S*’ 

<-  cr  Cl  SI#  Rl# 

<-  cr  C2  R2#  S2* 

<-  conf  Rl*  R2#  Tl*  T2* 

<-  append  SI*  Tl*  S* 

<-  append  S2*  T2*  S*'. 


6  Equivalence  of  Ordinary  and  Parallel  Reduction 

In  this  section  we  will  prove  that  multi-step  ordinary  reduction  and  multi-step  parallel  reduction 
define  the  same  relation  between  terms.  As  a  direct  corollary  we  obtain  the  Church-Rosser  theorem 
for  ordinary  reduction.  The  first  lemma  states  that  parallel  reduction  can  be  simulated  by  multi- 
step  ordinary  reduction. 

Lemma  10  If  M  =>  N  then  M  — ►*  N . 

Proof:  By  induction  on  the  structure  of  R  ::  M  =>  N.  In  each  case  we  explicitly  construct  a 
reduction  5*  ::  M  — ►*  N.  We  heavily  use  Lemmas  2  and  1  which  state  that  multi-step  reduction 
is  congruent  and  transitive.  The  proof  is  implemented  in  Elf  by  a  type  family  eql. 

eql  :  M  *>  N  ->  M  — >*  N  ->  type. 
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Case: 


Then  idi  is  a  multi-step  reduction  from  x  to  x.  As  usual,  this  case  is  not  directly  represented  as 
a  separate  declaration  in  the  Elf  implementation,  but  folded  into  the  cases  where  parameters 
are  introduced. 

Case: 


Ri  i?2 

Ml  =>  M{  Mi  ==►  M^ 

- beta 

(Ai.  Ml)  Mi  =>  [M'i/x]M{ 


5r  ::  Ml 

SI'  ::  Xx.  Ml  Xx. 

5r"  ::  (Ax.  Mi)  Mi  (Ax.  M{)  Mi 
55  ::  Mi  — 

S^' ::  (Ax.  M{)  Mi  — *  (Ax.  M[)  M^ 
S3  ::  (Ax.  M{)  M^  —  [M!i/x]M{ 

5*  ::  (Ax.  Mi)  Mi  — (A/yx]M{ 


By  ind.  hyp.  on  Ri 
By  congruence 
By  congruence 
By  ind.  hyp.  on  Ri 
By  congruence 
By  betai 

By  transitivity  from  5^",  Si',  and  S3. 


The  implementation  of  this  case  is  a  fairly  direct  translation  of  the  above  algorithm.  Since 
Ml  is  in  the  scope  of  i  we  need  to  make  an  appropriate  assumption  about  reductions  from 
X  to  X,  namely  that  x  =>  x  is  translated  to  idi  as  indicated  in  the  previous  case.  Appeals 
to  congruence  use  the  admissible  rules  from  Lemma  2,  depending  on  which  congruence  is 
required. 


eql.beta  :  eql  (beta  RI  R2)  S* 

<-  ({x:tenn}  {eqx  :  x  »>  x} 

eql  eqx  idl  ->  eql  (RI  x  eqx)  (SI*  x)) 
<-  Iml*  SI*  SI*' 

<-  apll*  SI*’  SI*” 

<-  eql  R2  S2* 

<-  aprl*  S2*  S2*’ 

<-  appd  S2*’  (stepl  betai  idl)  S*’ 

<-  appd  SI*”  S*’  S*. 

Case: 

Ri  Ri 

_  Ml  =>  M[  Mi  Mi 

- ap 

Ml  Mi  =>  Mj'  M'i 


Ml  — 

By  ind.  hyp. 

Ml  Mi  — M[  Mi 

By  congruence 

Mi  — ►*  M'i 

By  ind.  hyp. 

:  Ml'  Mi  Ml'  M!i 

By  congruence 

Ml  Mi  Ml'  M'i 

By  transitivity  from  5*'  and  S'" 
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eql.ap  :  eql  (ap  R1  R2)  S* 
<-  «ql  R1  SI* 

<-  apll*  SI*  S*’ 

<-  «ql  R2  S2* 

<-  aprl*  S2*  S*” 

<-  appd  S*’  S*”  S*. 


Case: 

Ri 

Ml  =>  M'l 

- Im 

Ax.  Ml  =»  Ax.  M[ 

S{  Ml  — Ml' 

5*  ::  Ax.  Ml  Ax.  M[ 


By  ind.  hyp. 
By  congruence 


In  the  implementation,  we  once  again  have  to  make  the  proper  assumption  for  the  variable 
X,  which  may  be  reduced  to  itself. 


aql.lm  :  eql  (Im  Rl)  S* 

<-  ({x:tenn}  {aqx  :  x  »>  x} 

eql  eqx  idl  ->  eql  (Rl  x  eqx)  (SI*  x)) 
<-  1ml*  SI*  S*. 


□ 


The  next  lemma  goes  in  the  opposite  direction,  but  this  time  we  directly  replace  ordinary 
single-step  reduction  by  parallel  single-step  reduction. 

Lemma  11  If  M  — ►  N  then  M  =>  N. 


Proof:  The  proof  is  by  induction  on  R  ::  M  — ►  N.  In  each  case  we  explicitly  construct  an 
5  ::  M  =>  N.  In  an  ordinary  reduction  fewer  subterms  are  reduced,  so  we  need  to  “pad"  the 
reductions  with  identities  to  obtain  the  parallel  reductions.  For  this,  we  employ  Lemma  3  which 
states  the  reflexivity  of  parallel  reduction. 


eq2  :  M  — >  N  ->  M  =>  N  ->  type. 

Case: 

_  - betai 

R-  {Xx.  Ml)  M2 — ►  [M2/x]Mi 


Then 


(Ax.  Ml)  M2  —  [M2/x]Mi 

where  /i  and  I2  exist  by  reflexivity  of  parallel  reduction. 
Recall  the  type  of  the  implementation  of  Lemma  3: 


beta 


32 


The  Church-Rosser  Theorem  in  Elf 


identity  :  {Mrterni}  M  »>  M  ->  »ypa. 

Since  we  have  chosen  to  make  the  argument  M  explicit  we  now  need  to  supply  appropriate 
terms  wherever  we  appeal  to  reflexivity. 

eq2_batal  :  eq2  (betal)  (beta  II  12) 

->  ({x:term}  {eqx  :  x  *>  x} 

identity  x  eqx  ->  identity  (Ml  x)  (II  x  eqx)) 

->  identity  M2  12. 


Case: 


Ri 

^  =  Ml  — .  Mi 

- Imi 

Ax.  Ml  — ►  Ax.  Mi 

By  the  induction  hypothesis  on  Ri  we  know  there  exists  an  5i  ::  Mi  =>  Mi-  By  an 
application  of  the  Im  rule  we  conclude  that  Ax.  Mi  =>  Ax.  M{. 

In  the  Elf  implementation  we  need  to  introduce  a  new  parameter  for  the  bound  variable  x. 
Note  that  this  variable  does  not  reduce  to  itself,  since  ordinary  reduction  has  no  case  x  —  x. 

9q2.1inl  :  9q2  (lal  RI)  (Im  ([xrtaro]  [eqx  :  x  =*>  x]  SI  x)) 

<-  •fx.'term}  eq2  (RI  x)  (SI  x) . 


Case: 


Ri 

Ml  — *  Mi 

- ; - ap'i 

Ml  Mj  —  Mi  M2 

By  induction  hypothesis  there  is  an  5i  ::  Mi  =>  M[  and  from  the  reflexivity  of  parallel 
reduction  we  know  there  is  an  I2  "  M2  =>  M2.  Thus  we  can  let 

5i  I2 

c  _  Ml  =>  M[  M2  =>  M2 

- ap 

Ml  M2  =►  m;  M2 

eq2_apll  :  eq2  (apll  RI)  (ap  SI  12) 

<-  eq2  RI  SI 
<-  identity  M2  12. 


Case: 


R  = 


Ri 


M2  —  Mi 

- apri 

Ml  M2  — ^  Ml  Mi 


This  is  symmetric  to  the  previous  case. 
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eq2_aprl  :  eq2  (aprl  R2)  (ap  II  S2) 
<-  eq2  R2  S2 
<-  identity  Ml  II. 


From  Lemmas  10  and  11  the  equivalence  of  the  generated  multi-step  reduction  relations  can  be 
proved  easily. 

Theorem  12  M  — N  iff  M  ==>’  N. 

Proof:  In  both  directions  by  simple  inductions  over  reduction  sequences.  We  will  leave  the  informal 
proof  to  the  reader  and  give  only  the  implementation  in  Elf.  Recall  the  type  families 

aql  :  M  *>  N  ->  M  — >♦  M  ->  type. 

eq2  :  M  — >  N  ->  M  »>  N  ->  type. 

which  implement  Lemmas  10  and  11,  respectively.  The  families  eq3  and  eq4  implement  the  two 
claimed  implications. 

eq3  :  M  — >*  N  ->  M  =>*  M  ->  type. 

eq3.id  :  eq3  idl  id. 

eq3_step  :  eq3  (stepl  R1  R2*)  (SI  ;  S2*) 

<-  eq2  R1  SI 
<-  eq3  R2*  S2* . 

eq4  :  M  *>*  N  ->  M  — >•  N  ->  type. 

eq4_id  :  eq4  id  idl . 

eq4_step  :  eq4  (R1  ;  R2*)  S* 

<-  eql  R1  SI* 

<-  eq4  R2*  S2* 

<-  appd  SI*  S2*  S*. 


□ 

From  the  equivalence  of  the  reduction  relations,  the  equivalence  of  conversion  also  follows  almost 
immediately. 

Lemma  13  If  M  <=>•  N  then  M  < — ►  N. 

Proof:  By  induction  on  the  structure  of  C  ::  M  <=>•  N .  In  each  case,  we  explicitly  construct 
a  C  ::  M  < — *  N,  taking  advantage  of  Theorem  12.  Since  the  proof  is  trivial,  we  only  give  its 
implementation  in  Elf.  RecaU  that  < — ►  is  defined  as  the  equivalence  closure  of  — •,  while  <:=>  is 
defined  as  a  reduction,  expansion  (inverse  of  reduction)  or  composition  of  two  conversions. 

oqS  ;  M  <*>  N  ->  M  <->  M  ->  type. 
eqS.red  :  eqS  (reduce  R*)  (red  S*) 
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<-  eq4  R*  S*. 

•qS.ezp  :  eqS  («zpand  R*)  (sym  (red  S*)) 

<-  «q4  R*  S*. 

eqS.trans  :  eqS  (Cl  ;;  C2)  (trans  Cl’  C2’) 

<-  eqS  Cl  Cl’ 

<-  eqS  C2  C2’ . 

□ 

Because  of  the  definition  of  parallel  conversion  via  reduction  and  expansion  instead  of  symmetry 
and  transitivity,  we  need  to  explicitly  show  the  symmetry  of  parallel  conversion  as  a  simple  lemma. 

Lemma  14  If  M  •<=>•  N  then  N  ■<=>  M. 

Proof:  The  proof  is  a  simple  induction  on  the  structure  of  C  ::  Af  <=>•  N .  We  only  show  the 
implementation  of  this  proof  in  Elf. 

sym.pconv  :  M  <*>  M  ->  M  <»>  M  ->  type. 

spc.red  :  aym.pconv  (reduce  R*)  (expand  R*) . 

spc.ezp  :  sym.pconv  (expand  R*)  (reduce  R*) . 

spc.trans  :  sym.pconv  (Cl  ;;  C2)  (C2’  ;;  Cl’) 

<-  syn.pconv  Cl  Cl’ 

<-  sym.pconv  C2  C2’ . 

□ 


Lemma  15  If  M  < — ►  N  then  M  <=>  N . 


Proof:  By  induction  on  the  structure  of  C  ::  M  < — ►  N .  In  each  case  we  explicitly  construct  a 
C'  ::  M  <=>  N.  The  implementation  is  as  a  type  family 

eq6  :  M  <->  M  ->  M  <*>  N  ->  type. 

Case: 


C  = 


refl 


Then  we  let 


- id 

,  _  M  =>•  M 

^  -  - reduce 

iVf  <;=>  M 


eqS.ref 1  :  eq6  refl  (reduce  id) . 

Case: 


Cl 

^  N  < — ►  M 

- sym 

Mi — >  N 

By  induction  hypothesis  there  exists  a  C{  ::  N  M.  By  symmetry  of  parallel  conversion 
(Lemma  14)  we  obtain  3.  C  ::  M  <=>■  N. 
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eq6_S3rm  :  eq6  (sym  Cl)  C' 

<-  eq6  Cl  Cl’ 

<-  s3nn_pconv  Cl’  C’. 


Case: 


C  = 


Cl  Cl 

M  < — *M'  M'  < — >  N 


M  < — ►  iV 


trans 


Then  C  follows  from  the  induction  hypothesis  on  Ci  and  C2  and  the  transitivity  rule  for 
parallel  conversion. 


eq6_trans  :  eq6  (trans  Cl  C2)  (Cl’  ;;  C2’) 
<-  eq6  Cl  Cl’ 

<-  eq6  C2  C2’ . 

Case: 


R” 

M  N 


M  < — ►  iV 


red 


By  Theorem  12  there  exists  an  5*  ::  M  =>*  N  and  we  let 

S‘ 

C'  ^  M=:>'  N 

- reduce 

M  ^  N 

eqS.red  :  eq6  (red  R*)  (reduce  S*) 

<-  eq3  R*  S*. 


□ 

Now  we  can  prove  the  Church- Rosser  theorem  for  ordinary  conversion  by  translating  to  parallel 
reduction.  Not  all  of  the  lemmas  above  are  actually  necessary  to  prove  this  theorem. 

Theorem  16  (Church- Rosser)  If  M  - — ►  M'  then  there  exists  an  N  such  that  M  — .V  and 
M'  — N. 

Proof:  By  Lemma  15,  there  exists  a  C'  ::  M  -t=>-  M' .  By  the  Church-Rosser  theorem  for  parallel 
conversion  (Theorem  9)  we  obtain  an  N  and  parallel  multi-step  reduction  R*  ::  M  .V  and 
R‘'  ::  M'  =>*  N .  By  Theorem  12  there  exist  5*  M  — N  and  5*'  ::  M'  — N . 

cr.ord  :  M  <->  M’  ->  M  — >♦  N  ->  M’  — >*  N  ->  type. 

cr.all  :  cr.single  C  S*  S*’ 

<-  eq6  C  C’ 

<-  cr  C’  R*  R*’ 

<-  eq4  R*  S* 

<-  eq4  R*’  S*’ . 

□ 
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7  Conclusion 

We  have  demonstrated  the  use  of  the  logical  framework  LF  and  its  realization  in  the  Elf  program¬ 
ming  language  for  the  implementation  of  abstract  syntax,  semantics,  and  meta-theory  of  an  object 
language,  the  untyped  A-calculus.  The  main  meta-theorem,  the  Church-Rosser  property  under  0- 
reduction,  is  non-triviaJ  and  its  implementation  in  Elf  illustrates  various  representation  techniques 
such  as  higher-order  abstract  syntax,  judgments-as-types,  and  proofs  of  meta-theorems  as  higher- 
level  judgments.  These  techniques  permit  the  user  to  concentrate  on  the  mathematical  content  of  a 
proof  and  largely  ignore  details  of  variable  naming  and  capture-avoiding  substitution  as  is  usually 
done  in  informal  proofs.  This  and  the  power  of  term  reconstruction  in  Elf  lead  to  a  remarkably  close 
correspondence  between  informal  and  formal  proof.  Starting  from  an  understanding  of  the  basic 
idea  of  parallel  reduction  and  the  substitution  lemma,  the  formalization  of  the  core  of  this  proof 
was  done  by  the  author  in  one  afternoon,  cleanup  work  and  the  relation  to  ordinary  reduction  took 
up  another  day.  We  hope  to  have  convinced  the  reader  that  with  some  practice,  representation  of 
non-trivial  languages  and  their  properties  is  possible  with  a  resonable  amount  of  effort. 

It  is  interesting  to  compare  this  representation  with  the  proof  by  Shankar  [Sha88]  in  the  Boyer- 
Moore  theorem  prover  [BM79].  While  the  basic  mathematical  ideas  are  very  similar,  Shankar 
expends  much  effort  to  develop  an  appropriate  representation  (using  de  Bruijn  numbers  [dB72]) 
and  proving  it  correct.  Many  of  the  actual  proofs  are  not  even  explicitly  represented,  since  they 
are  found  automatically  once  the  right  series  of  lemmas  has  been  developed.  In  contrast,  in  our 
representation  almost  all  the  details  of  the  informal  proof  are  present  in  the  formalization  (with 
the  exception  of  the  details  inferred  by  type  reconstruction).  Thus  the  representations  are  of 
comparable  length  in  the  two  implementations,  but  the  content  of  what  is  actually  written  down  is 
very  different.  In  future  work  we  hope  to  consider  the  question  how  much  of  the  construction  of  the 
meta-level  judgments  which  implement  induction  proofs  can  be  automated.  Intuitively,  they  often 
are  straightforward  from  the  stringent  constraints  imposed  by  type  dependencies.  This  indicates 
that  there  is  a  great  potential  for  the  automation  of  meta-theory  which  has  yet  to  be  explored. 
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A  Summary  of  the  Representation  in  Elf 

In  this  appendix  we  summarize  the  Elf  code  shown  in  various  places  throughout  the  report  for 
easy  reference.  The  source  is  also  labeled  with  the  name  of  the  file  in  which  it  appears  in  the 
implementation  which  is  available  via  anonymous  ftp.^ 

A.l  The  untyped  A-calculus 

*/.•/.•/.  File:  lam. ell 

•/,*/,*/.  Untyped  lambda-calculus 

term  :  type,  ‘/jiame  term  N 

lam  :  (term  ->  term)  ->  term, 
app  :  term  ->  term  ->  term. 

A. 2  Ordinary  reduction 

*/.*/.*/,  File:  ord-red.ell 

*/,*/,*/,  Ordinary  redaction  lor  the  untyped  lambda-calculus 

— >  :  term  ->  term  ->  type,  ‘/.inlix  none  10  — > 

'/jiame  — >  R 


betal  : 

(app  (lam 

Ml) 

M2) 

— > 

Ml  M2. 

1ml 

({x:term} 

N  X 

— > 

M’  x) 

-> 

(lam  N) 

— > 

(lam  M 

’) 

apll 

Ml 

— > 

Ml’ 

-> 

(app  Ml 

N2) 

— > 

(app  Ml’  M2) 

aprl 

N2 

— > 

M2’ 

-> 

(app  Ml 

M2) 

— > 

(app  Ml  M2 

’) 

y.  Multi-step  reduction 

— >*  :  term  ->  term  ->  type,  '/.inlix  none  10  — >* 

'/^ame  — >•  R* 


idl 

M  — >♦  M 

stepl  : 

M  — >  M’ 

->  M’  “>♦  M’  ■ 

->  M  — >♦  M”  . 

*/.  Conversion 

<->  :  term  ->  term  ->  type,  '/inlix  none  10  <-> 

'/jiame  <->  C 


*  Please  send  electronic  mail  to  the  author  at 


fptcs.CBu.edu  for  further  information. 
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r«ll  ;  M  <->  M. 

sy*  M  <->  M’ 

->  M’  <->  M. 

trams:  M  <->  M’ 

->  M*  <->  M' ' 
->  M  <->  M’  ’ . 

red  :  M  -->*  M' 

->  M  <->  M’ . 


A. 3  Parallel  reduction 
y,7.7.  Fils:  pam-rsd.slf 

7,7,7,  Paurallsl  reduction  in  the  untyped  lambda  calculus 

=>  :  term  ->  term  ->  type,  '/.infix  none  10  => 

'^lame  =>  R 

beta  :  (■Cx:tann>  x  =>  x  ->  Ml  x  =>  Ml’  x) 

->  M2  =>  M2’ 

->  (app  (lam  Ml)  M2)  =>  Ml’  M2’. 

ap  Ml  =>  Ml’ 

->  M2  =>  M2’ 

->  (app  Ml  M2)  =>  (app  Ml’  M2’). 

Iffl  :  ({x:term}  x  =>  x  ->  M  x  =>  M’  x) 

->  lam  M  =>  lam  M’ . 

*/.  Pacrallel,  multi-step  reduction 

=>♦  :  term  ->  term  ->  type,  '/.infix  none  10  =>• 

%name  =>*  R* 

id  M  =>♦  M. 

;  :  M  =>  M’ 

->  M’  =>*  M” 

->  M  =>♦  M’’.  '/.infix  right  10  ; 

'/.  Parad.lel  conversion 

<=>  :  term  ->  term  ->  type,  '/.infix  none  10  <=> 

Ymame  <=>  C 

reduce  :  M  =>♦  M’ 

->  M  <=>  M’. 

expand  :  M  =>*  M’ 

->  M’  <=>  M. 
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::  :  M  <=>  M' 

->  M’  <=>  M’ ’ 

->  M  <=>  M’’.  ‘/Jinfix  none  8  ;; 

A. 4  Lemmas  about  parallel  reduction 
V,Y,7,  File:  par-leaunns . ell 

Y,y,V,  Basic  lenunas  concerning  parallel  reductions 
y.  Every  tern  reduces  to  itself  (in  parallel) 
identity  :  {Mrterm}  M  =>  M  ->  type, 
id.lam  :  identity  (lam  Ml)  (In  HI) 

<-  {x:term}  {eqx:  x  =>  x>  identity  x  eqx  ->  identity  (Ml  x)  (R1  x  eqx) . 

id.app  :  identity  (app  Ml  M2)  (ap  R1  R2) 

<-  identity  Ml  R1 
<-  identity  M2  R2. 

y,  P^urallel  multi-step  reduction  is  transitive. 

append  :  M  =>*  M’  ->  M’  =>♦  M’’  ->  M  =>*  M’’  ->  type. 

append.id  :  append  id  S*  S*. 

append.step  :  append  (R1  ;  R2*)  S*  (R1  ;  S2*’) 

<-  append  R2*  S*  S2* ’ . 

A. 5  The  Church-Rosser  theorem  for  parallel  reduction 

*/,*/,*/,  File:  par-cr.elf 

y,y,y.  The  Church-Rosser  theorem  for  parallel  reduction 

*/,  Substitution  lenuna  for  parallel  reduction 

subst  :  ({i:term}  x  =>  x  ->  M  x  =>  M’  x) 

->  H  =>  H’ 

->  M  I  =>  M’  N’ 

->  type. 

subst.idx  :  subst  (Cx:term]  [idx:  x  =>  x]  idx)  S  S. 

subst .beta  :  subst  (Cx:t6rm]  [idx:  x  =>  x]  beta  (R1  x  idx)  (R2  x  idx)) 

S  (beta  Rl’  R2') 

<-  ({y:term>  -Cidy:  y  =>  y} 

subst  (Cx:tem]  [idx:  x  =>  x]  idy)  S  idy 
->  subst  ([x:term]  [idx:  x  =>  x]  Rl  x  idx  y  idy) 

S  (Rl*  y  idy)) 

<-  subst  R2  S  R2 ’ . 
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subst.ap  :  subst  ([xrterm]  [idx:  x  =>  x]  ap  (R1  x  idx)  (R2  x  idx)) 

S  (ap  Rl*  R2') 

<-  subst  Rl  S  Rl' 

<-  subst  R2  S  R2 ’ . 

subst.lm  :  subst  (Cx:term]  [idx:  x  =>  x]  Im  (Rl  x  idx)) 

S  (Im  Rl’) 

<-  ({y.tarm}  -Cidy;  y  =>  y} 

subst  (Cx:tsna]  [idx:  x  =>  x]  idy)  S  idy 
->  subst  ([x:tenn]  [idx:  x  =>  x]  Rl  x  idx  y  idy) 

S  (Rl’  y  idy)). 

’/,  Diamond  proparty  for  p^u^allal  reduction 

dia  :  M  =>  M’  ->  M  =>  M”  ->  M’  =>  I  ->  M”  =>  I  ->  type. 

*/,  Proof  by  induction  on  the  structure  of  the  first  tuo  derivations. 

7,  We  consider  the  various  possible  cases. 

7  b  =  beta,  a  =  ap,  1  =  Im, 

dia.bb  :  dia  (beta  Rl’  R2’)  (beta  Rl”  R2”)  S’  S” 

<-  ({xcterm}  {idx:  x  =>  x} 
dia  idx  idx  idx  idx 
->  dia  (Rl’  X  idx)  (Rl’’  x  idx) 

(SI’  X  idx)  (SI”  X  idx)) 

<-  dia  R2’  R2’ ’  S2’  S2’ ’ 

<-  subst  SI’  S2’  S’ 

<-  subst  SI”  S2”  S”. 

dia_bal  :  dia  (beta  Rl’  R2’)  (ap  (Im  Rl”)  R2”) 

S’  (beta  SI”  S2”) 

<-  ({x:term}  {idx:  x  =>  x} 
dia  idx  idx  idx  idx 
->  dia  (Rl’  X  idx)  (Rl”  x  idx) 

(SI’  X  idx)  (SI”  X  idx)) 

<-  dia  R2’  R2”  S2’  S2’  ’ 

<-  subst  SI’  S2’  S’. 

dia.alb  :  dia  (ap  (Im  Rl’)  R2’)  (beta  Rl”  R2”) 

(beta  SI’  S2’)  S” 

<-  ({x:term}  {idx:  x  =>  x> 
dia  idx  idx  idx  idx 
->  dia  (Rl’  X  idx)  (Rl”  x  idx) 

(SI’  X  idx)  (SI”  X  idx)) 

<-  dia  R2’  R2’  ’  S2’  S2” 

<-  subst  SI”  S2”  S”  . 

dia.aa  :  dia  (ap  Rl’  R2’)  (ap  Rl”  R2”)  (ap  SI’  S2’)  (ap  SI”  S2”) 
<-  dia  Rl’  Rl”  SI’  SI” 

<-  dia  R2’  R2”  S2’  S2’  ’ . 
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dia_ll  :  dia  (la  Rl*)  (la  Rl")  (la  SI')  (la  SI") 

<-  ({xrtera}  {idx:  x  =>  x> 
dia  idx  idx  idx  idx 

->  dia  (Rl*  X  idx)  (Rl"  x  idx)  (SI'  x  idx)  (SI"  x  idx)). 
'U  The  strip  leaaa  for  parallel  reduction. 

strip  :  M  =>  M’  ->  M  =>♦  M"  ->  M'  =>*  I  ->  M"  =>  I  ->  type, 
strip.id  :  strip  R’  id  id  R’. 

strip_step  :  strip  R’  (Rl’’  ;  R2*’’)  (SI’  ;  S2*’)  S’’ 

<-  dia  R’  Rl"  SI’  SI" 

<-  strip  SI"  R2*"  S2*’  S". 

'U  Confluence  for  parallel  aulti-step  reduction. 

conf  :  N  =>*  M’  ->  M  =>♦  M"  ->  M’  =>♦  H  ->  M"  =>*  I  ->  type. 
conf_id  :  conf  id  R*’’  R*’’  id. 

conf  .step  :  conf  (Rl’  ;  R2*’)  Re"  S*‘  (SI"  ;  S2*’’) 

<-  strip  Rl’  Re"  SI*’  SI" 

<-  conf  R2*’  SI*’  S*’  S2*’’. 


y,  Church-Rosser  Theorea  for  parallel  reduction 


cr  :  M  <=>  M’  ->  M  =>*  I  ->  M’  ->*  S  ->  type. 


cr.reduce 
cr. expand 
cr.coapose  : 

<- 

<- 

<- 


cr  (reduce  R*)  R*  id. 
cr  (expand  R*)  id  R*. 
cr  (Cl  ::  C2)  S*  S*’ 
cr  Cl  SI*  Rl* 
cr  C2  R2*  S2* 
conf  Rl*  R2*  Tl*  T2* 


<-  append  SI*  Tl*  S* 
<-  append  S2*  T2*  S* ’ . 


A. 6  Lemmas  about  ordinary  reduction 

'///.'/.  File:  ord-leaaas . elf 

Leaaas  concerning  ordinary  aulti-step  reduction 

y.  Transitivity  of  multi-step  reduction 

appd  :  N  — >*  M’  ->  M’  — >*  M"  ->  M  — >*  M"  ->  type, 
appd.id  :  appd  idl  S*  S*. 

appd.step  :  appd  (stepl  Rl  R2*)  S*  (stepl  Rl  S2*’) 

<-  appd  R2*  S*  S2* ' . 

V,  Multi-step  reduction  is  a  congruence 

lal*  :  ({x:tera}  M  x  — >*  M’  x) 

->  (lam  H)  — >*  (laa  M’) 

->  type. 
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;  Iml*  (Cx’.term]  idl)  idl. 

lBl*_stap  :  Imia  ([zrterm]  stepl  (R1  z)  (K2*  x))  (stepl  (Inl  Rl)  S2«) 
<-  Iml*  R2*  32* . 

apll*  :  Ml  -->♦  Ml’ 

->  (app  Ml  M2)  ">♦  (app  Ml  ’  M2) 

->  type. 

aplie_id  ;  apll*  idl  idl. 

aplle.step  :  aplle  (stepl  Rl  R2e)  (stepl  (apll  Rl)  32*) 

<-  apll*  R2*  32*. 

aprl*  :  M2  — >*  M2’ 

->  (app  Ml  M2)  -->*  (app  Ml  M2’) 

->  type. 

aprl*_id  :  aprl*  idl  idl. 

aprl*_step  :  aprl*  (stepl  Rl  R2*)  (stepl  (aprl  Rl)  32*) 

<-  aprl*  R2*  32*. 


A. 7  Equivalence  of  ordinary  and  parallel  reduction 

%*/.%  File:  equiv.ell 

Y,7,7t  Equivalence  of  ordinary  and  parallel  reduction. 

•/,  If  M  s>  I  then  M  — >*  I. 

eql  :  M  =>  I  ->  M  — >*  I  ->  type. 

eql.beta  :  eql  (beta  Rl  R2)  3* 

<-  ({z:tenn}  <eqx  :  x  =>  z} 

eql  eqx  idl  ->  eql  (Rl  x  eqx)  (31*  x)) 

<-  iBl*  31*  31*’ 

<-  apll*  31*’  31*” 

<-  eql  R2  32* 

<-  aprl*  32*  32*’ 

<-  appd  32*’  (stepl  betal  idl)  3*’ 

<-  appd  31*’’  3*’  3*. 

eql.ap  :  eql  (ap  Rl  R2)  3* 

<-  eql  Rl  31* 

<-  apll*  31*  3*’ 

<-  eql  R2  32* 

<-  aprl*  32*  3*” 

<-  appd  3* ’  3*  ”  3* . 

eql.la  :  eql  (In  Rl)  3* 

<-  (fx:tern>  {eqx  :  x  *>  x} 

eql  eqx  idl  ->  eql  (Rl  x  eqx)  (31*  x)) 

<-  Inl*  31*  3*. 
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y.  II  M  — >  I  then  M  =>  H. 

eq2  :  M  — >  I  ->  M  =>  I  ->  type. 

eq2_betal  :  eq2  (betal)  (beta  II  12) 

->  ({xitemi}  {eqx  :  x  =>  x} 

identity  x  eqx  ->  identity  (Ml  x)  (II  x  eqx)) 
->  identity  N2  12. 

eq2_l]Bl  :  eq2  (1ml  Rl)  (Im  ([x:term]  [eqx  :  x  =>  x]  SI  x)) 
<-  {x:term}  eq2  (Rl  x)  (SI  x) . 

eq2_apll  :  eq2  (apll  Rl)  (ap  SI  12) 

<-  eq2  Rl  SI 
<-  identity  M2  12. 

eq2_aprl  :  eq2  (aprl  R2)  (ap  II  S2) 

<-  eq2  R2  S2 
<-  identity  Ml  II. 

y.  II  M  -->*  K  then  M  =>♦  H. 

eq3  :  M  — >*  I  ->  M  =>*  I  ->  type. 

eqS.id  :  eq3  idl  id. 

eq3_step  :  eq3  (stepl  Rl  R2e)  (SI  ;  52*) 

<-  eq2  Rl  SI 
<-  eq3  R2*  S2*. 

y.  li  M  =>♦  I  then  M  -->•  I. 

eq4  :  M  =>♦  I  ->  M  — >♦  I  ->  type. 

eq4_id  :  eq4  id  idl . 
eq4_step  :  eq4  (Rl  ;  R2*)  S* 

<-  eql  Rl  SI* 

<-  eq4  R2*  S2* 

<-  appd  SI*  S2*  S*. 

y.  li  M  <=>  M  then  M  <->  I. 

eqS  :  M  <=>  H  ->  M  <->  H  ->  type. 

eqS.red  :  eq5  (reduce  R*)  (red  S*) 

<-  eq4  R*  S*. 

eqS.exp  :  eq5  (expand  R*)  (sym  (red  S*)) 

<-  eq4  R*  S*. 

eqS.trans  :  eq5  (Cl  ;;  C2)  (trams  Cl’  C2') 

<-  eqS  Cl  Cl’ 

<-  eq6  C2  C2’. 
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7.  It  M  <=>  I  then  I  <=>  M. 

sym.pconv  :  M  <=>  1  ->  I  <=>  M  ->  type. 

spc.red  :  sym.pconv  (reduce  R*)  (expand  R*). 
spc_exp  :  sym.pconv  (expand  R*)  (reduce  R*). 
spc.trans  :  syo.pconv  (Cl  ;;  C2)  (C2’  ;;  Cl’) 

<-  syn.pconv  Cl  Cl’ 

<-  syin_pconv  C2  C2  ’ . 

y.  II  M  <->  I  then  M  <=>  I. 

eq6  :  M  <->  I  ->  M  <=>  ■  ->  type. 

eqd.refl  :  eq6  refl  (reduce  id) . 
eq6_sym  :  eq6  (sym  Cl)  C’ 

<-  eq6  Cl  Cl’ 

<-  sym.pconv  Cl’  C’. 

eqd.trana  :  eqd  (trans  Cl  C2)  (Cl’  ;;  C2’) 

<-  eq6  Cl  Cl’ 

<-  eq6  C2  C2’ . 

eq6_red  :  eq6  (red  R*)  (reduce  S*) 

<-  eq3  R*  S*. 

A.8  The  Church-Rosser  theorem  for  ordinary  reduction 

7,7,7,  File:  ord-cr.ell 

7,7,7,  The  Church-Roeaer  theorem  for  ordinary  reduction 

cr.ord  :  M  <->  M’  ->  M  -->♦  I  ->  M’  -->*  H  ->  type. 

cr_all  :  cr_ord  C  S*  S*’ 

<-  eqS  C  C’ 

<-  cr  C’  Re  Re’ 

<-  eq4  Re  Se 
<-  eq4  Re’  Se’. 
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